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Asynchronous programming is a ubiquitous systems programming idiom to manage concurrent interactions 
with the environment. In this style, instead of waiting for time-consuming operations to complete, the 
programmer makes a non-blocking call to the operation and posts a callback task to a task buffer that 
is executed later when the time-consuming operation completes. A co-operative scheduler mediates the 
interaction by picking and executing callback tasks from the task buffer to completion (and these callbacks 
can post further callbacks to be executed later). Writing correct asynchronous programs is hard because 
the use of callbacks, while efficient, obscures program control flow. 

We provide a formal model underlying asynchronous programs and study verification problems for 
this model. We show that the safety verification problem for finite-data asynchronous programs is EX- 
PSPACE-complete. We show that liveness verification for finite-data asynchronous programs is decidable and 
polynomial-time equivalent to Petri Net reachability. Decidability is not obvious, since even if the data is 
finite-state, asynchronous programs constitute infinite-state transition systems: both the program stack and 
the task buffer of pending asynchronous calls can be potentially unbounded. 

Our main technical construction is a polynomial-time semantics-preserving reduction from asynchronous 
programs to Petri Nets and conversely. The reduction allows the use of algorithmic techniques on Petri Nets 
to the verification of asynchronous programs. 

We also study several extensions to the basic models of asynchronous programs that are inspired by 
additional capabilities provided by implementations of asynchronous libraries, and classify the decidability 
and undccidability of verification questions on these extensions. 
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1. INTRODUCTION 

Asynchronous programming is a ubiquitous idiom to manage concurrent interactions with 
the environment with low overhead. In this style of programming, rather than waiting for 
a time-consuming operation to complete, the programmer can make asynchronous proce- 
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dure calls which are stored in a task buffer pending for later execution, instead of being 
executed right away. We call handlers those procedures that are asynchronously called by 
the program. In addition, the programmer can also make the usual synchronous procedure 
calls where the caller blocks until the callee finishes. A co-operative scheduler repeatedly 
picks pending handler instances from the task buffer and executes them atomically to com- 
pletion. Execution of the handler instance can lead to further handler being posted. We say 
that handler p is posted whenever an instance of p is added to the task buffer. The posting 
of a handler is done using the asynchronous call mechanism. The interleaving of different 
picks-and-executes of pending handler instances (a pick-and-execute is often referred to as 
a dispatch) hides latency in the system. Asynchronous programming has been used to build 
fast servers and routers [Pai ct al. 1999; Kohler et al. 2000], embedded systems and sensor 
networks [Hill et al. 2000], and forms the basis of web programming using Ajax. 

Writing correct asynchronous programs is hard. The loose coupling between asynchronous 
calls obscures the control and data flow, and makes it harder to reason about them. The 
programmer must keep track of concurrent interactions, manage data flow between posted 
handlers (including saving and passing appropriate state between dispatches), and ensure 
progress. Since the scheduling and resource management is co-operative and performed by 
the programmer, one mis-behaving procedure (e.g., one that does not terminate, or takes 
up too many system resources) can bring down the entire system. 

We study the problem of algorithmic verification of safety and liveness properties of 
asynchronous programs. Informally, safety properties specify that "something bad never 
happens," and liveness properties specify that "something good eventually happens." For 
example, a safety property can state that a web server does not crash while handling a 
request, and a liveness property can state that (under suitable fairness constraints) every 
request to a server is eventually served. 

For our results, we focus on finite-data asynchronous programs in which data variables 
range over a finite domain of values. Our main results show that the safety verification 
for finite-data asynchronous programs is EXPSPACE-complete, and the liveness verification 
problem is decidable and polynomial-time equivalent to Petri net reachability. The finiteness 
assumption on the data is necessary for decidability results, since all verification questions 
are already undecidable for 2-counter machines [Minsky 1967]. However, since the depth of 
the stack or the size of the task buffer could both be unbounded, even with finitely many 
data values, asynchronous programs define transition systems with possibly infinitely many 
states. 

Specifically, we develop algorithms to check that an asynchronous program (1) reaches a 
particular data value (global state reachability, to which safety questions can be reduced) and 
(2) terminates under certain fairness constraints on the scheduler and external events (fair 
termination, to which liveness questions can be reduced [Vardi 1991]). For fair termination, 
the fairness conditions on the scheduler rule out certain undesired paths, in which for 
example the scheduler postpones some pending handler forever. 

For sequential programs with synchronous calls, both safety and liveness verification 
problems have been studied extensively, and decidability results are well known [Sharir and 
Pnueli 1981; Burkart and Steffen 1994; Reps ct al. 1995; Bouajjani et al. 1997; Walukiewicz 
2001]. One simple attempt is to reduce reasoning about asynchronous programs to reasoning 
about synchronous programs by explicitly modeling the task buffer and the scheduling. A 
way to model an asynchronous program as a sequential one, is to add a counter representing 
the number of pending instances for each handler, increment the appropriate counter each 
time a handler is posted, and model the scheduler as a dispatch loop which picks a non-zero 
counter, decrements it, and executes the corresponding handler code. While the reduction is 
sound, the resulting system is infinite state, as the counters modeling the pending handler 
instances can be unbounded, and it is not immediate that existing safety and liveness 
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checkers will be complete in this case (indeed, checking safety and liveness for recursive 
counter programs is undecidable in general). 

Instead, our decidability proofs rely on a connection between asynchronous programs and 
Petri nets [Rcisig 1986], an infinite state concurrency model with many decidable properties. 
In particular, we show an encoding of asynchronous programs into Petri nets and vice versa. 
This enables the reduction of decision problems on asynchronous programs to problems on 
Petri nets. As noted in [Chadha and Viswanathan 2007; Jhala and Majumdar 2007; Sen and 
Viswanathan 2006] , the connection to Petri nets uses the fact that the two sources of un- 
boundedness — unbounded program stack from recursive synchronous calls and unbounded 
counters from pending asynchronous calls — can be decoupled: while a (possibly recursive) 
procedure is executing, the number of pending handler instances can only increase, and the 
number of pending handler instances decreases precisely when the program stack is empty. 
Accordingly, our proof of decidability proceeds as follows. 

First, we note that the change to the state of the task buffer before and after the dispatch 
of a handler depends only on the number of times each handler is posted. Therefore the 
ordering in which handler have been posted can be simply ignored. Thus, while the execution 
of the handler (in general) defines a context-free language over the alphabet of handlers, 
what is important from the analysis perspective is the Parikh image [Parikh 1966] of this 
language. (Recall that the Parikh image of a word counts the number of occurrences of each 
letter in the word, and the Parikh image of a language is the set of Parikh images of each of 
its words.) We show that the effect of each handler can be encoded by a Petri net which is 
linear in the size of the grammar representation of the handler. Our Petri net construction 
builts upon [Esparza 1997] but extends it so as to satisfy one additional property of crucial 
importance for correctness. Given the Petri net encoding of individual handlers, we can 
then construct a Petri net that strings together the handlers according to the semantics of 
asynchronous programs. This Petri net is linear in the size of the asynchronous program 
and captures in a precise sense the computations of the asynchronous system. Moreover, 
given a Petri net, we can conversely construct an asynchronous program polynomial in the 
size of the Petri net that captures in a precise sense the behaviors of the net, a result that 
is useful to prove lower bounds on asynchronous programs. 

Safety verification then reduces to checking coverability of the Petri net for which we can 
use known decidability results [Karp and Miller 1969; Rackoff 1978]. Together, this gives 
a tight EXPSPACE-complete decision procedure for safety verification of asynchronous pro- 
grams. (The lower bound follows from known EXPSPACE-hardness of Petri net coverability 
[Lipton 1976] and an encoding of an arbitrary Petri net as an asynchronous program that 
is linear in the size of the Petri net.) Previous decidability proofs for safety verification 
[Sen and Viswanathan 2006; Jhala and Majumdar 2007] used backward reachability of well- 
structured transition systems [Abdulla et al. 1996] to argue decidability, and did not yield 
any upper bound on the complexity of the problem. 

An alternate route to safety verification [Sen and Viswanathan 2006] explicitly invokes 
Parikh's theorem [Parikh 1966] to construct, for each handler, a regular language which 
has the same Parikh image. Coupled with our construction of Petri nets, this gives another 
algorithm for safety verification. Unfortunately, this construction does not give a tight com- 
plexity bound. It is known that the automaton representation of a regular set with the 
same Parikh image as a context-free grammar can be at least exponential in the size of 
the grammar. Thus, the Petri net obtained using the methods of [Sen and Viswanathan 
2006] can be exponential in the size of the original asynchronous program. This only gives a 
2expspace upper bound on safety verification (using the expspace upper bound for Petri 
net coverability [Rackoff 1978]). 

For fair termination, we proceed in two steps. An asynchronous program can fail to 
terminate in two ways. First, a particular handler execution can loop forever. Second, each 
dispatch can terminate, but there can be infinite sequence of posted handler and dispatches. 
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For infinite runs of the first kind, the task buffer can be abstracted away (as no dispatches 
occur from within a dispatched handler) and we can use a combination of safety verification 
(checking that a particular handler can ever be dispatched) and techniques for liveness 
checking for finite-state pushdown systems [Burkart and Stcffcn f994; Walukicwicz 2001] 
(checking that a handler loops forever). 

The second case above is more interesting, and we focus on this problem. For infinite runs 
of the second form, we note that the Petri net constructed from an asynchronous program 
preserves all infinite behaviors, and we can reduce fair termination of the asynchronous 
program (assuming each individual dispatched handler terminates) to an analogous prop- 
erty on the Petri net. We show that this property can be encoded in a logic on Petri nets 
Yen 1992], which can be reduced to checking certain reachability properties of Petri nets 
[Atig and Habermehl 2009]. Conversely, we show that the Petri net reachability problem 
can be reduced in polynomial time to a fair termination question on asynchronous pro- 
grams. Together, we show that the fair termination problem for asynchronous programs 
is polynomial-time equivalent to the Petri net reachability problem. Again, this gives an 
EXPSPACE-hard lower bound on the problem [Lipton 1976]. On the other hand, the best 
known upper bounds for Petri net reachability take non-primitive recursive space [Kosaraju 
1982; Lambert 1992; Mayr 1981; Mayr and Meyer 1981]. (In the absence of fairness, i.e., 
for the termination problem, we get an EXPSPACE-complete algorithm. Previously, [Chadha 
and Viswanathan 2009] gave a decision procedure for this problem, but the complexity of 
their procedure is not apparent.) 

The reduction to Petri nets also enables us to provide decision procedures for related 
verification questions on asynchronous programs. First, we show a decision procedure for 
boundedness, a safety property that asserts there exists some finite N such that the max- 
imum possible size of the task buffer at any point in any execution is at most N. For the 
boundedness property we again use a known result on Petri nets which allows to decide the 
existence of an upper bound D on the size of the task buffer at any point in any execution (or 
return infinity, if the task buffer is unbounded). Since the task buffer is often implemented 
as a finite buffer, let us say of size d, if D > d holds then there is an execution of the system 
that leads to an overflow of the buffer, and to a possible crash. Our decision procedure for 
the boundedness problem uses the above reduction to Petri nets, and checks boundedness of 
Petri nets using standard algorithms in expspace. Second, the fair non-starvation question 
asks, given an asynchronous program and a fairness condition on executions, whether every 
pending handler instance is eventually dispatched (i.e., no pending handler instance waits 
forever). Fair non-starvation is practically relevant to ensure that an asynchronous program 
(such as a server) is responsive. We show fair non-starvation is decidable by showing a 
reduction to Petri nets. 

We also study safety and liveness verification for natural extensions to asynchronous 
programs inspired by features supported in common asynchronous programming languages 
and libraries. For the model of asynchronous programs where a handler can cancel all 
pending instances of a handler, we show that safety is decidable, but boundedness and 
termination are not. If in addition, a handler can test (at most once in every execution) 
the absence of pending instances for a specific handler, safety becomes undecidable as well. 
The decidability result uses decidability of coverability of Petri nets extended with reset arcs 
[Abdulla et al. 1996]. The undecidability results are based on undecidability of boundedness 
or reachability of Petri nets with reset arcs, or the undecidability of reachability of two- 
counter machines. 

2. INFORMAL EXAMPLES 

We start by giving informal examples of asynchronous programs using, for readability, a 
simple imperative language. We use C-like syntax with an additional construct post /(e) 
which is the syntax for an asynchronous call to procedure / with arguments e. Operationally, 
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the execution of post /(e) posts handler /(e): an instance of handler /(e) is added to the 
task buffer. 

In the initial state of an asynchronous program, the task buffer is specified by the program- 
mer and the program stack is empty. Whenever the program stack is empty, the scheduler 
dispatches a pending handler instance, if any. The program stops when the scheduler has 
no pending handler instances to dispatch. 

In our formal development, we use a more abstract language acceptor based model. Com- 
piling our imperative programs to the formal model (assuming all data variables range over 
finite types) is straightforward although laborious. 

2.1. Safety Properties 

Figure I shows an abstracted example of a server that runs in a loop (procedure server) 
responding to external events to connect. When a client connects to the server, the server 
loop allocates a data structure for the connection, reads data asynchronously, sends data 
back to the client, and disconnects. If there is an error reading data, the connection is 
disconnected. 

The implementation uses asynchronous calls to procedures read and send. The server 
allocates data specific to a connection (alloc_client), sets the state of the connection to 
T0_READ and posts handler process_client to process the connection and posts itself to 
wait for the next connection. 

The handler process_client performs data read and data send. It looks at the state 
of the connection and posts read or send based on the state. It is an error to execute 
process_client if the connection is in any other state (and the code is expected never to 
reach the label E). 

The handler read can disconnect a connection based on some error (lines 1,2), or read 
data. If the data has not been read completely (modeled by the then-branch of the non- 
deterministic conditional on line 4), the state is kept at T0_READ. If the data has been read 
completely (modeled by the else-branch of the non-deterministic conditional on line 4), 
the state is changed to DDNE_READ. In both cases, the procedure process_client is called 
(synchronously) which, in turn, posts read or send. 

The handler send closes the connection by calling disconnect. It expects a connection 
whose state D0NE_READ denotes data has been read (the assertion on line 1), and the state 
is marked CLOSED. 

The example is representative of many server implementations, and demonstrates the 
difficulty of writing asynchronous programs. The sequential flow of control, in which a 
connection is accepted, data is read, data is sent to the client, and the connection is closed, 
gets broken into individual handlers and the control flow is obscured. Moreover, the state 
space can be unbounded as an arbitrary number of connections can be in flight at the same 
time. 

For correct behavior of the server, the programmer expects the connection is in specific 
states at various stages of processing. These are demonstrated by the assertions in the code. 

In this example, the assertion in send holds for all program executions, but the assertion 
in process_client does not. The assertion in send holds because the condition is checked 
in process_client (line 3) before send is posted. However, there can be an arbitrary delay 
between the check and the execution of send for this connection, with any number of other 
connections executing in the middle. 

The assertion in process_client can be violated in an execution which read terminates 
a connection on line 2 by calling disconnect (which sets the state to CLOSED), and sub- 
sequently process_client is called on line 7. The bug occurs because the author forgot a 
return on line 2 after the disconnect. 

Our first goal is to get a sound and complete algorithm which can automatically check 
an asynchronous program for safety properties such as assertions. 
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server () { 

1: client *c = alloc_client () ; 
2: if (c != 0) { 
3: c->state = T0_READ; 
4: post process_client (c) ; 
} 

5 : post server () ; 
} 

process_client (c) { 
1: if (c->state == T0_READ) { 
2: post read(c) ; return; 
} 

3: if (c->state == D0NE_READ) { 
4: post send(c) ; return; 
} 

E: assert (false) ; 
} 

read(c) { 
1: if (*) i 

2: disconnect (c) ; //ERROR: should return here 
3: } else { 

4: if (*) { c->state = T0_READ; } 
5: else { c->state = D0NE_READ ; } 
6: } 

7: process_client (c) ; 
} 

send(c) { 

1: assert (c->state == D0NE_READ) ; 

2: disconnect (c) ; //done processing 

} 

disconnect (c) { // close connection 
1: c->state = CLOSED; 
2: return; 
} 

Initially: serverO; 

Fig. 1. Server example with bug 

2.2. Liveness Properties 

Figure 2 shows a simplified asynchronous implementation of windowed RPC, in which a 
client makes n asynchronous procedure calls in all, of which at most w < n are pending at 
any one time. (Assume that n and w are fixed constants.) Windowed RPC is a common 
systems programming idiom which enables concurrent interaction with a server without 
overloading it. 

The windowed RPC client is implemented in the procedure wrpc. Two global counters, 
sent and recv, respectively track the number times rpccall has been posted and the 
number pending instances of rpccall that have completed. The server is abstracted by 
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global int sent = 0, recv = 0; 
global int n, w; 
wrpc () { 

if (recv < n) { 

if (sent < n && sent - recv < w) -( 
post rpccallQ ; 
sent++; 

} 

post wrpcO ; 
} else ■[ 
return; 

} 

} 

rpccallO { recv ++; } 
Initially: wrpcO; 

Fig. 2. Windowed RPC implementation 

the procedure rpccall which increments recv. The procedure wrpc first checks how many 
instances of rpccall have completed. If the number is n or more, it terminates. Otherwise 
if fewer than n instances to rpccall have been posted and the number of pending instances 
(equal to sent — recv) is lower than the window size w then wrpc posts rpccall. Finally, 
wrpc posts itself (this is done by an asynchronous recursive call), either to further post 
handlers or to wait for pending instances of rpccall to complete. 

As mentioned in [Krohn ct al. 2007], already in this simple case, asynchronous code with 
windowed control flow is quite complex as the control decisions are spread across multiple 
pieces of code. 

Consider the desirable property that the windowed RPC fairly terminates, which implies 
that, at some point in time, every pending instances of rpccall completed and the task 
buffer is empty. Informally, this property is true because wrpc posts rpccall at most n 
times, and posts itself only as long as recv is less than n. Each execution of rpccall 
increments recv, so that after n dispatches of rpccall, the value of recv reaches n, and 
from this point, each dispatch to wrpc does not post new handler. Thus, eventually, the 
task buffer becomes empty. 

Notice that we need the assumption that the scheduler fairly dispatches pending handlers: 
a post to q is followed by a dispatch of q. Without that assumption the program does not 
terminate: consider the infinite run where the scheduler always picks wrpc in preference to 
rpccall. 

Fair Termination. An asynchronous program fairly terminates if (i) every time a pro- 
cedure is called (synchronously or asynchronously), it eventually returns; and (ii) there is 
no infinite run that is fair. An infinite run is said to be fair if for every handler q and for 
every step along the run, a pending instance to q is followed by a dispatch of q. The fairness 
constraint is expressible as a w-regular property. 

Of course, for most server applications, the asynchronous program implementing the 
server should not terminate (indeed, termination of a server points to a bug). 

Fair Non-starvation. A second "progress condition" is fair non-starvation. When an asyn- 
chronous program does not terminate, we can still require that (i) every execution of a 
procedure that is called (synchronous or asynchronous) eventually returns; and (ii) along 
every fair infinite run no handler is starved. A starving handler corresponds to a particular 
pending handler instance which is never dispatched, and hence which waits forever to be 
executed. Consider a handler h that posts itself twice. A fair infinite execution dispatches 
h infinitely often, even though a particular pending instance to h may never get to run. 
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global bit = 0; 
hl() { 

if (bit == 0) { 

post hi () ; 

post h2() ; 

} 

} 

h2() { 
bit = 1; 

} 

Initially: hi ; 
Fig. 3. A fairly terminating asynchronous program 

Our second goal is to provide sound and complete algorithms to check fair termination 
and fair non-starvation properties of asynchronous programs. 

Proving safety and liveness properties for asynchronous programs is difficult for several 
reasons. First, as the server and the windowed RPC example suggests, reasoning about 
termination may require reasoning about the dataflow facts (e.g., the fact that the state 
is checked to be D0NE_READ before posting send in server or that recv eventually reaches 
n in RPC). Second, at each point, there can be an unbounded number of pending handler 
instances. This is illustrated by the program in Fig. 3, which terminates on each fair exe- 
cution, but in which the task buffer contains unboundedly many pending instances (to h2). 
Third, each handler can potentially be recursive, so the program stack can be unbounded 
as well. 

We remark that if the finite dataflow domain induces a sound abstraction of a concrete 
asynchronous program in which data variables range over infinite domains, that is, if the 
finite abstraction has more behaviors, then our analysis is sound: if the analysis with the 
finite dataflow domains shows the asynchronous program fairly terminates (resp. is fair 
non-starving) then the original asynchronous program fairly terminates (resp. is fair non- 
starving) . 

3. PRELIMINARIES 
3.1. Basics 

An alphabet is a finite non-empty set of symbols. For an alphabet E, we write E* for the set 
of finite sequences of symbols (also called words) over E. A set L C E* of words defines a 
language. The length of a word w £ E*, denoted \w\, is defined as expected. An infinite word 
uj alphabet E is an infinite sequence of symbols. For a finite non-empty word w £ E* \ {e}, 
we write w u for the infinite word given by the infinite repetition of w, that is, w ■ w ■ w ■ ■ ■ . 
The projection of word w onto some alphabet E', written Proj^,(w), is the word obtained 
by erasing from w each symbol which does not belong to E'. For a language L, define 
Projw(L) = {Proj^,(w) | w £ L}. 

A multiset m: E — ► N over E maps each symbol of E to a natural number. Let M[E] 
be the set of all multisets over E. We treat sets as a special case of multisets where each 
element is mapped onto or 1. 

We sometimes write m = [91,91,53] for the multiset m £ M[{gi, 92, 93, 14}] such that 
m(<7i) = 2, 111(92) = m(94) = 0, and 111(93) = 1. The empty multiset J] is denoted 0. The 
size of a multiset m, denoted |m|, is given by J^ 7gS 111(7)- Note that this definition applies 
to sets as well. 
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Given two multisets m, m' g M[E] we define m m' g M[E] to be multiset such that 
Va € E : (m® m')(a) = m(a) + m'(a), we also define the natural order ^ on M[E] as follows: 
m ^ m' iff there exists m A g M[E] such that m © m A = m'. 

Given m, we define 4.m and fm to be the downward closure and upward closure of m, 
defined by {m' g M[E] | m' ;< m} and {m' g M[E] | m ^ m'}, respectively. The downward 
and upward closure are naturally extended to sets of multisets. 

For E C E' we regard m 6 M[E] as a multiset of M[E'] where undefined values are sent 
to 0. We define the projection of m' g M[E'] onto E C E' as the multiset m g M[E] such 
that Vcr g E: m(u) = m'(cr). We write this as follows Proj- s (m'). 

The Parikh image Parikh : E* — > M[E] maps a word w g E* to a multiset Parikh(w) such 
that Parikh(w)(a) is the number of occurrences of a in w. For example, Parikh (abbab) (a) = 2, 
Parikh(a66a6)(6) = 3 and Parikh(e) = 0. For a language L, we define Parikh(L) = 
{Parikh(w) | w g L}. Given an alphabet E', define Parikh^' to be the function Parikh o Proj^, 
where ° denotes the function composition. 

3.2. Formal Languages 

A context-free grammar (CFG for short) G is a tuple (X,T,,V) where X is a finite set of 
variables (non-terminal letters), E is an alphabet of terminal letters and PC^x (SUX)* 
a finite set of productions (the production (X,w) may also be noted X — ¥ w). Given two 
strings h,d G (SUA 1 )* we define the relation u =£• v, if there exists a production (X, io)£P 

G 

and some words y, z g (E U X)* such that u = yXz and v = ywz. We use for the 

G 

reflexive transitive closure of =>. A word w g E* is recognized (we also say accepted) from 

the state X G X ii X u>. We sometimes simply write =>■ instead of if G is clear from 

G G 

the context. 

An initialized context-free grammar G is given by a tuple {X, Yi,V,Xq) where {X, E,? 7 ) 
is a CFG and X g A" is the initial variable. When the initial variable is clear from the 
context, we simply say context-free grammar. 

We define the language of an initialized CFG G, denoted L(G), as {w g E* | X =>* w}. 
A language L is context-free (written CFL) if there exists an initialized CFG G such that 
L = L(G). 

A regular grammar R is a context-free grammar such that each production is in X x ((E • 
X) U {e}). It is known that a language L is regular iff L = L(R) for some initialized regular 
grammar R. 

We usually use the letters G and R to denote grammars and regular grammars, re- 
spectively. Given a CFG G = (X, E,? 3 ) its size, denoted ||G||, is given by \X\ + |E| + 
E{\Xw\\(X,w)eV}.^ 

We will use the following result from language theory in our proofs. 

Lemma 3.1. (Parikh's Lemma [Parikh 1966]) For any context free language L there is 
an effectively computable regular language L' such that Parikh (L) = Parikh (L'). 

Any two languages L and L' such that Parikh(L) = Parikh(i') are said to be Parikh- 
equivalent. 

Throughout the paper, we make the following assumption without loss of generality. 
Assumption I. V C (X x (X 2 U E U {e})) for every CFG G = (X, E,"P). 

It has been shown, see for instance in [Lange and Leifi 2010], that every CFG can be trans- 
formed, in polynomial time, into an equivalent grammar of the above form. 
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4. FORMAL MODEL 

As noted in the informal example, our formal model consists of three ingredients: a global 
store of data values, a set of potentially recursive handlers, and a task buffer that maintains 
a multiset of pending handler instances. We formalize the representation using asynchronous 
programs. 

4.1. Asynchronous Programs 

An asynchronous program *p = (D, E, Ej, G, R, do, mo) consists of a finite set of global states 
D, an alphabet E of handler names, an alphabet E^ of internal actions disjoint from E, 
a CFG G = (X, E U E^P), a regular grammar R = (D, E U E 4 , S), a multiset m £ M[E] 
of initial pending handler instances, and an initial state do S D. We assume that for each 
a £ E, there is a non-terminal X CT e A" of G. 

A configuration (d, m) £ D x M[E] of *}3 consists of a global state <i and a multiset m of 
pending handler instances. For a configuration c, we write c<i and cm for the global state 
and the multiset in the configuration respectively. The initial configuration cq of is given 
by cg.d — do and co.m = mo. 

The semantics of an asynchronous program is given as a labeled transition system over 
the set of configurations, with a transition relation — >C (D x M[E]) x E x (D x M[E]) defined 
as follows: let m, m' £ M[E], d, d' £ D and a £ E 

(d,m© [a]) A (d',m® m') 
iff 

3w G (E U Ej)* i^'ffl'd'M^'tBAm^ Parikh s (u;) . 

it G 

Intuitively, we model the (potentially recursive) code of a handler using a context-free 
grammar. The code of a handler does two things: first, it can change the global state 
(through R), and second, it can add new pending handler instances (through derivation of 
a word in E*). Together, the transition relation — ¥ states that there is a transition from 
configuration (d, m© [er]) to (d 1 , mffi m') if there is an execution of handler a that changes 
the global state from d to d! and adds to the task buffer the handler instances given by 
m'. Note that the multiset m (the current content of the task buffer minus the pending 
handler instance cr) is unchanged while a executes, and that the order in which the handler 
instances are added to the task buffer is immaterial (hence, in our definition, we take the 
Parikh image of w). 

Finally, we conclude from the definition of their semantics that asynchronous programs 
satisfy the following form of monotonicity. Let us first define the ordering CC (D x M[E]) x 
(D x M[E]) such that c C d iff c.d = d.d A cm ^ c'.m. Also we have: 

Ver £ E Vc! Vc2 Vc 3 3ci : c\ A C2 A C\ C C3 implies C3 A C4 A C2 t c 4 . 

Therefore, as already pointed in [Sen and Viswanathan 2006; Chadha and Viswanathan 
2009], the transitions system ((D x M[E], C), — >, co) defined by asynchronous programs are 
well- structured transition systems as given in [Abdulla ct al. 1996; Finkcl and Schnocbelcn 
2001]. 

A run of an asynchronous program is a finite or infinite sequence 

(Tn G u 

Co ci ■ ■ ■ c k -4 c k+x ■ ■ ■ 

of configurations Ci starting from the initial configuration Co. A configuration c is reachable 

if there is a finite run Cq — £ • • • A 1 with Cf. = c. 

A handler a £ E is pending at a configuration c if cm(cr) > 0. The handler a is said to 
be dispatched in the transition cAc 1 . 
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An infinite run c$ ^ • • • Ck -4 • • • is fair if for every cr E £, if cr is dispatched only finitely 
many times along the run, then a is not pending at Cj for infinitely many j's. Intuitively, 
an infinite run is unfair if at some point some handler is pending and is never dispatched. 

For complexity considerations, we encode an asynchronous program as follows. The gram- 
mar G and R are encoded as given in Sect. 3.2. The initial multiset is encoded as a list of 
pairs (cr, mo (cr)), and using a binary representation for mo (cr). The size of an asynchronous 
program A encoded as above is denoted ||A||. 

4.2. From Program Flow Graphs to Asynchronous Programs 

We briefly describe how program flow graphs can be represented formally as asynchronous 
programs. 

We represent programs using control flow graphs [Alio et al. 1986], one for each procedure. 
The set of procedure names is denoted E. The control flow graph for a procedure cr g £ 
consists of a labeled, directed graph (V a ,E a ), together with a unique entry node v% E V a , 
a unique exit node v x a € V a , and an edge labeling which labels each edge with either a 
statement (such as assignments or conditionals) taken from a set stmts, or a synchronous 
procedure call (that gets executed immediately) or an asynchronous procedure call (that 
gets added to the task buffer). The nodes of the control flow graph correspond to control 
points in the procedure, the entry and exit nodes represent the point where execution begins 
and ends, respectively. Moreover, control flow graphs are well-formed: every node of V a is 
reachable from v e G and co-reachable from v*. We allow arbitrary recursion. 

Let D be a fixed finite set of dataflow values. We assume that there is an abstract transfer 
function M : D x (SU stmts) — > D which maps dataflow values and statements to a dataflow 
value, and captures the abstract semantics of the program. 

Let us now define an asynchronous program *p = (D, E, stmts, G, R, do, mo). The reason- 
ing underlying the definition of *}5 is to map the control flow graphs to G and the abstract 
transfer function to R. 

We define the CFG G = (X, £ U stmts,? 3 ) where the set of nonterminals X is the set of 
all nodes in all control flow graphs. 

The set of productions V is defined as the smallest set such that: 

— (X — > cr • Y) E V if the edge (X, Y) in the control flow graph is labeled with an asyn- 
chronous call to procedure a E E; 

— (X — > st ■ Y) E V if the edge (X, Y) is labeled with a statement st E stmts; 

— (X — > v% -Y) E V if the edge (X, Y) is labeled with a synchronous call to procedure a E E; 
— [v% — > e) € V for each procedure cr E E. 

Assumption 1 does not hold on G. However it can be enforced easily (in this case in linear 
time) by replacing productions of the form X — > 7 • Y (7 E (E U stmts)) by X — > G ■ Y and 
G — > 7) where G is a fresh variable. 

We define the regular grammar R = (D, E U stmts, S) where S = 
{d st ■ d' I d, d' E D A st E E U stmts A M (d, st) = d'}. 

Let <7q E E be the main procedure. Intuitively, a leftmost derivation in the grammar 
G starting from v% Q corresponds to an interprocedurally valid path in the program. The 
derived word is the sequence of asynchronous calls to procedures of E and statements of 
stmts made along that path. The global state is given by executing the program along the 
path with the abstract semantics specified by M on the domain D starting from an initial 
dataflow value d t . Therefore, ^ is such that m = [ctq] and d — d t . 

Remark 4.1. Observe that by modelling handlers using language acceptors we are ab- 
stracting away the non terminating executions within a handler. 
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4.3. A Technical Construction 

Given an asynchronous program *}3 = (D, E, Ej, G, R, do, mo), we define a "product gram- 
mar" G fl which synchronizes derivations in G and R. The CFG G fl simplifies some subse- 
quent constructions on asynchronous programs. 

Definition 4.2. Given a CFG G = (X,T, U E,;,? 5 ) and a regular grammar R = (D, E U 
E i; (5), define the CFG G R = (X R , E, V R ) where A" 7 * = {[dXd 1 ] \d,d' €D,X G A"}, and 
is the least set such that each of the following holds: 

— if (X — > e) e "P and d e D then ([dXd] -> e) G 

-if (X a) G P and (d a • d') G S then ([dXd'] Proj s (a)) G 

-if [do^di], [diBd 2 ] G and (X AB) G P then ([d Xd 2 ] [d Adi][di£d 2 ]) G 

Lemma 4.3. Let G, R and G R as in Def. 4.2. For every d,d' G D, X G A", u>! G E* and 
iu G (EUEi)* we have: 

[dXd']^> R *wi implies 3w 2 G (EUE;)* : Proj^(w 2 ) = wi A d=>*w 2 ■ d! A X=>*w 2 (1) 
d=|*w • d' A implies [dXd']=^*Pny s (u;) . (2) 

Moreover, G R can be computed in time polynomial in the size of G and R. 

Proof. See Sect. A for a proof of (1) and (2). Given def. 4.2, it is routine to check that 
the time complexity bound holds. I 

Lem. 4.5 below makes clear the purpose of this section: it gives an equivalent but simpler 
definition for the semantics of an asynchronous program. 

Definition 4.4. Let *}3 = (D, E, Ej, G, R, d , m ) be an asynchronous program. We define 
a context to be an element of D x E x D. We also introduce the abbreviation £ = D x E x D 
for the set of all contexts. Let c = (d,-,<7, d/) G £, define G c to be an initialized CFG which 
is given by G R with the initial symbol [d t X a df}, that is G c = (X R , E, V R , [diX a d f }). 

Lemma 4.5. Let c = (dx,a, d 2 ) G € and m G M[E], we have: 

(di, M) A (d 2 ,m) z// m G Parikh(L(G c )) . 



Proof. The definition of — > shows that 
(d 1 ,H)4(d 2 ,m) 

iff 3w G (E U E. t )* : d 1 w ■ d 2 A X a w A m = Parikh s M def. of -> 

' R G 

iff 3we (EUE,)*: [diX CT d 2 ] =>*Proj s (u>) A m = Parikh E (u;) Lem. 4.3 

iff 3w G (E U E. t )* : [diX CT d 2 ] =>*Proj s (u>) A m = Parikh ° Proj^{w) def. of Parikh E 

iff 3w' G E* : [diX CT d 2 ]=^*V A m = Parikh(w') elim. Proj s 

iff m G Parikh(i(G c )) def. of G c , Parikh 



Observe that this equivalent semantics completely ignores the ordering in which handlers 
are posted. Using the above constructions, we have eliminated the need to explicitly carry 
around the internal actions E,. Consequently, in what follows, we shall omit the internal 
actions from our description of asynchronous programs. 
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4.4. Properties of Asynchronous Programs 

In this paper, we study the following decision problems for asynchronous programs. The 
first set of problems relate to properties of finite runs. 

Definition 4.6. 

Safety (Global state reachability): 

Instance: An asynchronous program *}5 and a global state df G D 
Question: Is there a reachable configuration c such that c.d = df ? 
If so df is said to be reachable (in <}}); otherwise unreachable. 
Boundedness (of the task buffer): 
Instance: An asynchronous program *}3 

Question: Is there anJVeN such that for every reachable configuration c we have |c.m| < 
N? 

If so the asynchronous program is bounded] otherwise unbounded. 

— Configuration reachability: 

Instance: An asynchronous program *p and a configuration c 
Question: Is c reachable? 

The next set of problems relate to properties of infinite runs. 

Definition 4.7. All the following problems have a common input given by an asyn- 
chronous program *P 

— Non Termination: Is there an infinite run? 

Fair Non Termination: Is there a fair infinite run? 

Fair Starvation: Is there a fair infinite run Co, c\ 1 . . . , Ci, . . ., a handler 
a E £ and some index J > such that for each j > J we have 
(i) Cj.m(er) > 1, and (ii) if Cj A Cj + \ then Cj.m(a) > 2? 

We provide some intuition on the fair starvation property. A run could be fair, but 
a specific pending handler instance may never get chosen in the run. We say that the 
handler instance is starved in the run. Of course, the desired property for a program is the 
complement: that no handler is starved on any run (i.e., that every infinite fair run does 
not starve any handler). 

5. PETRI NET SEMANTICS 

In this section we show how asynchronous programs can be modelled by Petri nets. We 
review a reduction from asynchronous programs to Petri nets and sharpen the reduction to 
get optimal complexity bounds. 

5.1. Petri nets 

A Petri net (PN for short) N — (S,T,F = (1,0)) consists of a finite non-empty set S 
of places, a finite set T of transitions disjoint from S, and a pair F = (I, O) of functions 
I : T -> M[S] and O : T -> M[S}. 

To define the semantics of a PN wc introduce the definition of marking. Given a PN 
N — (S, T,F), a marking m € M[S] is a multiset which maps each p e S to a non-negative 
integer. For a marking m, we say that m(p) gives the number of tokens contained in place 
P- 

A transition t E T is enabled at marking m, written m[t), if I(t) < m. A transition t 
that is enabled at m can fire, yielding a marking m' such that m' ® I(t) — m © 0(t). We 
write this fact as follows: m [t) m'. 
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We extend enabledness and firing inductively to finite sequences of transitions as follows. 
Let w £ T* . If w — e we define m \w) m' iff m' = m; else if w — u ■ v we have m \w) m' iff 
there exists mi such that m [u) mi and mi [v) m'. 

Let Woo = to, ti, . . . be an infinite sequence of transitions. We write m [Woo) iff there exist 
markings m , mi, . . . such that m = m and rc^ [t,-) m i+1 . 

An initialized PN is given by a pair (N, m,) where N — (S,T,F) is a Petri net and 
m, £ M[S] is called the initial marking of N. 

A marking m is reachable from m iff there exists w £ T* such that m [w) m. The 
set of reachable states from mo, written [mo), is thus {m | 3w £ T* : mo [to) m}. When the 
starting marking is omitted, it is assumed to be m,. 

We now define the size of the encoding of a PN and of their markings. First, let us recall 
the encoding of a multiset m £ M[S]. It is encoded as a list of pairs (p, m(p)) symbol/value 
for each symbol p £ S. The size of the encoding, noted ||m||, is given by the number of 
bits needed to write down the list of pairs, where we assume m(p) is encoded in binary. 
The encoding of a PN N is given by a list of lists. Each transition t £ T is encoded by 
two lists corresponding to I(t) and 0(t). The size of N, written || jV|| , is thus defined as 

E* e xll'(*)ll + £*Exll°(*)ll- 

We now define the boundedness, the reachability and the coverability problem for Petri 
nets. Let (N, m,) be a initialized PN. The boundedness problem asks if [m,) is finite set. 
Let m £ M[i5], the reachability problem (resp. coverability problem) asks if m £ [m,) (resp. 
fm n [mi) 7^ 0) and if so m is said to be reachable (resp. coverable). In each of the above 
problem, the size of an instance is given by the \\N\\ + ||m t || plus ||m||, if any. 

A marking m is Boolean if for each place p £ S, we have m(p) £ {0, 1}. An initialized 
Petri net is Boolean if m l is Boolean and for each t £ T, both I(t) and 0(t) are Boolean. 
The following technical lemma shows that for any initalized Petri net, one can compute in 
polynomial time a Boolean initialized Petri net that is equivalent w.r.t. the boundedness 
problem (i.e., the original Petri net is bounded iff the Boolean Petri net is). Similarly, for 
an initialized Petri net and a marking, one can compute a Boolean initialized Petri net and 
a Boolean marking that is equivalent w.r.t. the coverability and reachability problems. 

Lemma 5.1. (1) Let (N, m 4 ) be an initialized PN. There exists a Boolean initialized PN 
(N',m[) computable in polynomial time in the size of (N, m,) such that (TV, m,) is bounded 
iff(N l ,m[) is bounded. 

(2) Let (N,m t ,mf) be an instance of the reachability (respectively, coverability) problem. 
There exists a Boolean initialized Petri net (N' , m^) and a Boolean marking m'^ computable 
in polynomial time such that vcif is reachable (respectively, coverable) in (N, m t ) iffm!^ is 
reachable (respectively, coverable) in (N',m[). 

Lem. 5.1 which proof is in the appendix shows that lower bounds for Petri nets already 
hold for Boolean Petri nets. This will be useful in the next sections to get lower bounds on 
asynchronous programs. 

The following results are known from the PN literature. 

Theorem 5.2. 

(1) [Backoff 1978] The boundedness and coverability problems for PN are expspace- 
complete. 

(2) [Kosaraju 1982; Lipton 1976] The reachability problem for PN is decidable and 
EXPSPACE-hard. 

While the best known lower bound for Petri net reachability is EXPSPACE-hard, the best 
known upper bounds take non-primitive recursive space [Kosaraju 1982; Mayr and Meyer 
1981; Mayr 1981; Lambert 1992]. Moreover, Lem. 5.1 shows that the lower bounds hold 
already for Boolean Petri nets. 
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5.2. Petri net semantics of asynchronous programs 

We now show how to model an asynchronous program *P = (D, E, G, R, do, mo) as an 
initialized PN (iVrp, mA, parameterized by a family of widgets Af* — {A"* ceDxEx £)}. 
Each widget AT* a ^ is a Petri net, intuitively capturing the effect of executing a handler 

a taking the system from global state d to global state d! . 

Fix an asynchronous program *p = (D, E, G, i?, do, m ). Let A/"* = {A 7 * | c g £} be a 
family of Petri nets, called widgets, one for each context in £. We say that the family 
A/"* is adequate if the following conditions hold. For each c — (di,a,d<2) £ £, the widget 
A"* = (5*, T*, F 1 *) is a PN with a distinguished entry place (begin, c) € 5* and a distinct 
exit place (end,c) g S*. Moreover for every m € M[E] we have: 

3w€(3*)*:[(6^in,c)][ti;)([(end,c)]em)iff(d 1 ,[o])A(da ) m) . (3) 

Construction 1 below shows how an adequate family of widgets is "stitched together" to 
give a Petri net model for an asynchronous program. 

Construction 1. Let = (D, E, G, R, do, m ) be an asynchronous program and Af* 
an adequate family of widgets for Cp. Define (iV«p(.A/"*), m t ) to be an initialized PN where 
(1) A r <p(A/'*) = (SVp, T<p, Ftp) is given as follows: 

— i/ie set SVp of places is given by D U E U Ucee 

— i/ie set T<p of transitions is given by U c ee({*c~} U ^ {*c"})/ 

— Ftp is smc/i i/iai for each c = (di, a, d-i) € £ we /icwe 

F<p(t<) = <[d 1 ,al,[(6e 5 m,c)]) 

F v (t)=F*(t) teT* 
Fr SS (t>) = {l(end,c)},ld 2 }) 

and (2) m, = [do] © m . 

In what follows we use the notation ATtp to denote Af<p(A/"*), which is parameterized by 
an adequate family A/*. 

We show two constructions of adequate families. First, we recall a simple definition of 
an adequate family of widgets, inspired by a similar construction in [Sen and Viswanathan 
16], that leads to a Petri net A/ip which is exponential in the size of *p. Next, we give 
a new construction of an adequate family of widgets that leads to a Petri net Nm of size 
polynomial in *}3. As we shall see later our definition allows to infer the existence of optimal 
expspace algorithms for checking safety and boundedness properties. 

First construction of an adequate family. Let us now define the widgets Af* = {AT*} cg£ 
using ideas from [Sen and Viswanathan 2006]. The central idea is to rely on the effective 
construction of Lem. 3.1 which, given an initialized CFG G, returns an initialized regular 
grammar A such that the languages L(G) and L(A) are Parikh-equivalent. 

Definition 5.3. Let c = (di,a,d2) € £. Let A c = (Q c ,T,,d c ,qo) be a regular grammar 
such that Parikh(F(G c )) = Parikh(L(^ c )). Define the Petri net N* = (S*,T*,F*) given as 
follows: 

— the set S* of places is given by {(begin, c), (end, c)} U Q c U E: 
-T* = S C U{U}; 
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— the sets F* are such that 

F;(U)=(i(begzn,c)Hq }) 

F;(q^e)=(lqlUend,c)l) 

Finally, define J\f* = {N*} ce£ . 

An invariant of N* is that every reachable marking from ((begin, c)] is such that the 
tokens in places Q c never exceed 1. 

Lem. 5.4 shows that Af* is an adequate family. 

Lemma 5.4. Let c = (d\,a,d2) G £, and m G M[S] all the following statements are 
equivalent: 

(1) (di.Io]) A(d2,m); 
(g) m G Parikh(L(G c )); 
(5) m G Parikh(L(A c )); 

(4) 3we(T*)*: ((begin, c)}[w) Ni (m [(end, c)]) . 

Proof. (1) and (2) are equivalent by Lem. 4.5. (2) and (3) are equivalent by assumption 
on A c . Finally, (3) and (4) are equivalent by Def. 5.3. I 

Note that for some c G £ the set S* of places in N* may be exponentially larger 
than the set X c of variables of G c . As an example consider the following CFG G = 
({An, . . . , A a }, {a},V, A n ) for some n > where V = {A k -> A k _ 1 A k _ 1 : 1 < k < n} U 
{A — > a}. Clearly L(G) = {a 2 } and therefore there is no regular grammar with less than 
2™ variables which accepts the same language. 

Second construction of an adequate family. We now define a new family Af = { A r c } ceC 
of widgets which improves on A^* by providing more compact widgets, in particular, widgets 
polynomial in the size of G. Given a context c = (d±, a, d%) G £ and the associated initialized 
CFG G c = (X c ,Y,,V c ,[d 1 X a d 2 }), the widget N c = (S C ,T C1 F C ) will be such that \S C \ = 
0(\X C \) and \T C \ =0(\T C \). 

Our construction combines two ingredients. 

The first ingredient is the following construction of [Esparza 1997] which, given an initial- 
ized CFG G = (X, E, V, S), returns an initialized PN (JV G , m,) where (1) N G = (S G , T G ,F G ) 
is given by 

-S G = A" US and T G = V; 
-F G (X^a) = (|X],Parikh(a)); 

and (2) nij = [SJ. Let 6 be the set of transition sequences that are enabled in m,. We 
conclude from [Esparza 1997] that there is a total surjective function / from the set of deriva- 
tions of G onto © such that for every a G (XUT,)* if S a then m 4 [f(S =>* a)) Parikh(a). 

G 

Unfortunately, the above construction cannot be used directly to build an adequate family 
because of the following problem. Recall that for each ce£ the widget N c — (S C ,T C ,F C ) 
has an exit place (end,c) € S c and condition (3) must hold. Using Lem. 4.5 we obtain that 
(3) is equivalent to: 

3w G (T c )* : {(begin, c)] [to) ({(end, c)] © m) iff m G Parikh(L(G c )) . 

This means that widget N c should put a token in (end, c) only after some m G Parikh(L(G c )) 
has been generated, that is, it should check that the derivation S a it is simulating 

G 

cannot be further extended, i.e., a E £*. This is equivalent to checking that each place 
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which corresponds to a variable in X c is empty. However the definition of PN transitions 
do not allow for such a test for 0. Therefore we need an additional ingredient in the widget 
in order to ensure that N c puts a token in (end, c) only after some m e Parikh(_L(G c )) has 
been generated. 

The second ingredient in our construction is the observation from [Esparza et al. 2010; 
Esparza ct al. 2011] that as long as we are interested in the Parikh image of a context-free 
language, it suffices to only consider derivations of bounded index. Let us first introduce 
a few notions on derivations of CFG. Let G — (X, S,? 3 , S) be an initialized CFG. Given a 
word w € (S U X)* , we denote by #x{w) the number of symbols of w that belongs to X . 
Formally, #x{w) = |Parikh^(u;)|. A derivation S = a =>■ • • ■ =>■ a m of G has index k if 
4^x{o-i) < k for each i € {0, . . . ,m}. The set of words of E* derivable through derivations 
of index k is denoted by L^ k \G). 

Lemma 5.5. (from [Esparza et al. 2011]) Let G = (X,Y,,V,S) be an initialized CFG, 
and let k = \X\, we have: Parikh(L(G)) = Parikh^+^G)). 

Our next widget construction is directly based on this result. In the following, our widget 
definition only differs from the construction of [Esparza 1997] by our use of an incidental 
budget place $. 

In the construction of (iVci m <) above, define s to be the subset of & such that every 
marking reachable through a sequence in s has no more than k tokens in the places X . It 
is routine to check that {/ -1 (to) \ w £ s} corresponds the set of derivations of index k. 

Let us define N G which adds an extra place $ to Nq in order to allow exactly the sequences 
of transitions of s. 

Definition 5.6. Let G = (X ,Ti,V, S) be an initialized CFG and let k > 0, we define 
(iV^nij) to be an initialized PN where (1) N G = (S G ,T G ,F G ) is given by 

-S G = A"USU{$}; 

— Tq — V; and 

— Fq is such that 

F G (X^Z-Y) = (lX,$UZ,Yj) and F G (X -> a) = <[X], Parikh(a) 8 [$]) 
and (2) m, = ISj ffi [S*" 1 ]. 

The set of enabled transition sequences of N G coincides with the set of derivation of index 
k. In fact, every reachable marking has exactly k tokens in places X U {$}. Therefore no 
reachable marking puts more than k tokens in places X which coincides with the condition 
imposed on derivations of index k. 

Lemma 5.7. Let G = (X 1 Y,,V,S) be an initialized CFG, let k > 0, and let (N G = 
(ScTcFg),!^,). For every m e M[S G ] 

(m© [$ fe ]) G [m,)^ iff me Parikh(L< fc )(G)) . 

PROOF. We prove that for every ax,a 2 € (X U £)* where both # x (pt\) < k 
and f^xipt'i) < k, we have ai=>a2 iff there exists t € Tq such that Parikh(ai) © 
[$fe-#Ar(a 1 )jj Parikh(a 2 ) © l$ k ~* x( - a ^l This holds by definition of Fq. Also observe 

that m 4 = Parikh(S') © l$ k ~* x ^l 

Now note that the right hand side is equivalent to saying that there exist a±, . . . , a n+ i € 
[X U £)* where each ai is such that < k, S — ati, a„+\ € £*, ai=>a2 • • • a n ^a n+ i 

and m = Parikh(a n+ i), and use induction on n. I 
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Let us now turn to our widget definition which directly relies on the above results. 

Definition 5.8. Let c = (di,a, d 2 ) £ £, and let G c — (X c , E, V c , [d\X a d2\) its associated 
initialized CFG. Define k = \X C \ and N c = (S C ,T C , F c ) such that: 

— the set S c of places is given by {(begin, c), (end, c)} U X c U {($, c)} U E; 
-T c = {( 1 ,t e }UF; and 

— the set F c is such that 

F C (U) =(l(begin,c)l [[diX.da]] © I($,c) fc ]) 

F c (x^z-y)=<[x, ($,c)],[z,y]) 

^ C (X -> ct) =<[*]> Parikh(a) © [($, c)]) 
F c (t e ) =(!($, c) fe+1 ],I( e nd, C )]) 

Define TV = {iV c } ceC . 

The following lemma shows that the family constructed above is adequate. 

Lemma 5.9. Let c = (d\,a, d 2 ) £ <£, and m £ M[E] we /iave: 

(di, H) A (da, m) tff 3 W G (T c )* : pegin, c)] [ifl) Wo {{(end, c)j © m) . 
Moreover, N c is computable in time polynomial in the size of G c . 

PROOF. Lem. 4.5 shows that the left hand side of the equivalence can be replaced by m £ 
Parikh(L(G c )). Moreover, Lem. 5.5 shows that L^ k+1 \G C ) and L(G C ) are Parikh-equivalent, 
hence that the left hand side of the equivalence can be replaced by m £ Parikh(L( fe+1 ) (G c )). 
Finally, we conclude from Lem. 5.7 and Def. 5.8 that m £ Parikh(i(' t ' +1 ) (G c )) iff 3w £ 
(T c )* : {(begin, c)] [w) N ({(end, c)]©m) and we are done. Fianlly, given def. 5.8, it is routine 
to check that the polynomial time upper bound holds. I 

6. MODEL CHECKING 
6.1. Safety and Boundedness 

In this section, we provide algorithms for checking safety (global state reachability), bound- 
edness, and configuration reachability for asynchronous programs by reduction to equivalent 
problems on PN. Conversely, we show that any PN can be simulated by an asynchronous 
program with no recursion. 

Lemma 6.1. Let be an asynchronous program and let (jVq},m 4 ) be an initialized PN 
as given in Constr. 1. We have 

— (iVtp,nij) is bounded iffty is bounded. 

— (d, m) is reachable in *}3 iff [d] © m is reachable in Nm from m t . 

Moreover, (N<p(Af),m t ) can be computed in polynomial time from *p. 

Proof. The results for boundedness and reachability essentially follows from require- 
ment (3) in the definition of adequacy. For the polynomial time algorithm we first show 
that polynomial time is sufficient to compute J\f given *p. In fact, the polynomial time up- 
per bounds follows from the fact that AT = {N c } cee contains polynomially many widgets, 
that each N c is computable in polynomial time given G c (Lem. 6.1) and that each G c is 
computable in polynomial time given *}3 (basically G, R) and c (Lem. 4.3). Then given J\f, it 
is routine to check from Constr. 1 that (N<g(AT), m,) can be computed in polynomial time 
from ^p. I 

Let us now consider the boundedness, the safety and the configuration reachability prob- 
lems for asynchronous programs. Lem. 6.1 shows that for the boundedness, the safety and 



ACM Transactions on Programming Languages and Systems, Vol. V, No. N, Article A, Publication date: January YYYY. 



A:19 



the configuration reachability problem for asynchronous programs there is an equivalent 
instance of, respectively, the boundedness, the coverability and the reachability problem for 
PN. Moreover each of the reduction can be carried out in polynomial time. In [Rackoff 19' 
Rackoff gives expspace algorithms to solve the coverability and boundedness problem for 
PN, therefore we obtain an exponential space upper bound for the safety and boundedness 
problems for asynchronous programs. For the reachability problem, the best known upper 
bounds take non-primitive recursive space [Esparza and Nielsen 1994]. 



global st = (e, e); 

runPN () { 

if st e (TU{e}) x {e} { 
pick t €E T non det.; 
st = (i, /(*)); 

} 

post runPN(): 

} 

Initially: © [runPN] 

Fig. 4. Let (N = (S,T,F = (/, 0)),m,) be an initialized Boolean PN. We assume that N is such that 
Vt £ T: \I(t)\ > 0. The encoding of N is given by an asynchronous program with 151 + 1 handlers. 

We now give the reverse reductions in order to derive lower complexity bounds. In fact, 
we show how to reduce instances of the boundedness, the coverability and the reachability 
problem for Boolean PN into equivalent instances of, respectively, the boundedness, the 
safety and the configuration reachability problem for asynchronous programs. Each of those 
reduction is carried out in polynomial time in the size of the given instance. From known 
expspace lower bounds for Petri nets, and the construction in Lem. 5.1, we get expspace 
lower bounds for the boundedness, the safety, and the configuration reachability problems 
for asynchronous programs. 

Fix a Boolean initialized PN (N, m 4 ). The encoding of a PN as an asynchronous program 
given in Fig. 4 is the main ingredient of our reductions. 

For readability, we describe the asynchronous program in pseudocode syntax. It is easy 
to convert the pseudocode to a formal asynchronous program. 

Let us fix an (arbitrary) linear ordering < on the places in S. For each t € T, let I(t) be 
the sequence obtained by ordering the set I(t) according to the ordering < on S, and let 
suffix(I{t)) be the set of suffixes of I(t). Clearly, for any t € T, there are at most |5| + 1 
elements in suffix(I(t)). 

The intuition behind the construction of Fig. 4 is the following. The asynchronous pro- 
gram has |5| + 1 procedures, one procedure p for each place p £ S, and a procedure runPN 
that simulates the transitions of PN. The content of the task buffer (roughly) corresponds 
to the marking of the Petri net. 

The procedure runPN initiates the simulation of PN by selecting nondeterministically a 
transition to be fired. A global variable st keeps track of the transition t selected and also 
the preconditions that have yet to be checked in order for t to be enabled. The possible values 
for st are (s,e) (which holds initially), and (t,w) for transition t € T and w € suffix(I(t)) 
(encoding the fact that the current transition being simulated is t, and we need to reduce 



if st == (t,p ■ w) { 
st = (t,w); 
if w == e { 

for each p e S do { 
ifO(t)(p)>0{ 
post p(); 

} 

} 

} 

} else { 
post p(); 

} 

} 
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the number of pending instances of each pewby one in order to fire t). Thus, the maximum 
number of possible values to st is \T\ ■ (\S\ + 1) + 1. 

The code for runPN works as follows. If st G (TU{e}) x {e}, it nondeterministically selects 
an arbitrary transition t of the PN (not necessarily an enabled transition) to be fired, sets 
st to (t,I(t)), and reposts itself. If st (TU {e}) x {e}, it simply reposts itself. 

We now describe how a transition is fired based on the global state st. When runPN sets 
st to (t,I(t)), it means that we must consume a token from each place in I(t) in order to 
fire t. Then the intuition is the following. Each time a handler p is dispatched it will check if 
it is the first element in the precondition, i.e., if st = (t,p-w) for some w. lip is not the first 
element in the precondition, it simply reposts itself, so that the number of pending instances 
to each p' G S before and after the dispatch of p are equal. However, if st = (t,p-w), there 
are two possibilities. If to ^ e, then handler p updates st to (t, to), but does not repost 
itself. This ensures that after the execution of p, the number of pending instances to p is 
one fewer than before the execution of p (and thus, we make progress in firing the transition 
t by consuming a token from its precondition). If to = e, then additionally, handler p posts 
p' for each p' g 0(t). This ensures that the execution of the transition t is complete, and 
moreover, each place in 0(t) now has a pending handler instance corresponding to the firing 
of*. 

The initial task buffer is the multiset m z © [runPN] and the initial value of st is (e,e). 

The following invariant is preserved by the program of Fig. 4, whenever st = (tr, e) for 
tr G T U {e} we have that the multiset m given by the number of pending instances to 
procedure p for each p G S is such that m l [to • tr) m for to G T* . 

Let us prove the invariant. Initially, we have st = (s,e) and the task buffer is precisely 
m l , so the invariant holds because we have m, [e) rrv 

By induction hypothesis, assume the invariant holds at some configuration of the program 
in which st G (TU{e}) x {e}. We show the invariant holds the next time st G (TU{e}) x {e}. 

Whenever st is of the form (tr, e), each dispatch to p for p G S simply reposts itself. 
When procedure runPN is dispatched, it picks a transition t to be fired. Hence st is updated 
(t,I(t)). Suppose m[t). Then, for each p G I(t), the program configuration has a pending 
instance of p. A sequence of dispatches corresponding to I(t) will reduce st to (t,p) for 
some p G S, and at this point, the dispatch of p will post as many calls as 0(t). The 
configuration reached after this dispatch of p sets st = (t, e) and the configuration of the 
program corresponds to a marking m' © I(t) = m © 0(t). 

Now suppose t is not enabled in m. Then in the simulation, st will get to some value 
(t,p ■ to) such that there is no pending instance to p. In this case, the state st will never be 
set to some value in (T U {e}) x {e}, and hence the invariant holds vacuously. 

We conclude by establishing the EXPSPACE lower bounds for boundedness, safety and 
configuration reachability. 

Boundedness. Consider the reduction given at Fig. 4 which given an initialized Boolean 
PN (N, nij) builds an asynchronous program *p. We deduce from above that is bounded 
iff (N, nij) is bounded. Moreover, it is routine to check that CP can be computed in time 
polynomial in the size of (N, m,). 

Safety. Consider an instance of the coverability problem for Boolean PN. Because of the 
result of Lem. 5.1 we can assume this instance has the following form: a PN N b — (S U 
{PiiPc},T U {ti,t c },F b ), an initial marking fpij and a marking to cover [p c ]. Moreover the 
only way to create a token in place p c is by firing transition t c . Observe that f [p c ] n [[Pi]) jv» ; 
namely p c is coverable, iff there exists m such that m G [[Pi])^ an d m [tc)- 

Then using the polynomial time construction given at Fig. 4 we obtain a asynchronous 
program which satisfies the property that the global state st = (t C) e) is reachable in *p 

iff TbcJ n[M)^- 
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Configuration reachability. Consider an instance of the reachability problem for Boolean 
PN. Because of the result of Lem. 5.1 we can assume this instance has the following form: a 
PN N b = (SU {pi,p r }, TU {ti, t r }, F^) an initial marking [pi,p r ] and a marking to reach. 
Moreover, every transition sequence which reaches ends with the firing of t r . Therefore 
using the polynomial time construction given at Fig. 4 we obtain a asynchronous program 
*P which satisfies the property that the configuration c such that c.d is given by st = (t r , e) 
and cm = is reachable in iff € [[p»)Pr])jvi>' 
Hence we finally obtain the following results. 

Theorem 6.2. 

(1) The global state reachability and boundedness problems for asynchronous programs are 
EXPSPACE-complete. 

(2) The configuration reachability problem for asynchronous programs is polynomial-time 
equivalent to the PN reachability problem. The configuration reachability problem is 
EXPSPACE-hard. 

6.2. Termination 

Since we now study properties of infinite runs of Petri nets modelling asynchronous pro- 
grams, there is a subset of transitions which becomes of particular interest. This subset 
allows to distinguish the runs where some widget enters a non terminating execution from 
those runs where each time a widget runs, it eventually terminates. Since our definition of 
asynchronous program does not allow for non-terminating runs of a handler (see Rmk. 4.1) 
we need a way to discriminate non-terminating runs in the corresponding PN widget. 

Definition 6.3. Let T^ a) = {t> e T<p | c £ £ n (D x {a} x D)} for some a £ E and let 

rpd I I rpd(a) 

Definition 6.4. Let *p be an asynchronous program, and let (iV<p,m J ) be an initialized 
PN as given in Constr. 1. Let p — nio [to) nil [ii) . . . m„ \t n ) ... be an infinite run of JVqj 
where nio = m, . 

— p is an infinite *p~run iff ti £ T^ for infinitely many i's; 

p is an infinite *}3-run, and 



p is a fair infinite run iff < 



for all a £ E, if ti £ T^ a ' for finitely many i's 



then nij(a) = for infinitely many j's 
p is a fair infinite run, and 
■ p fairly starves b{£ E) iff ^ there is a J > such that for each j > J 

m 3 (6) > 1 A (tj £ Ty {b) -> mj(b) > 2) 



Lemma 6.5. Let be an asynchronous program and let (i\T(p,mj) be an initialized PN 
as given in Constr. 1. 

— *}3 has an infinite run iff (JVm,m ( ) has an infinite ty-run; 

— ^ has a fair infinite run iff (iVtp, m,) has a fair infinite run; 

— fairly starves a iff (iVsp, m,) fairly starves a. 

Moreover, (iV<p(jV), m t ) can 6e computed in polynomial time from 

Proof. It suffices to observe that the Def. 6.4 and Def. 4.7 are equivalent using (3). The 
polynomial time construction was proven in Lem. 6.1. 1 

We now give an EXPSPACE-complete decision procedure for termination. 
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Remark 6.6. In what follows we assume a fixed linear order on the set of transitions T 
(resp. places S) which allow us to identify a multiset with a vector of N r (resp. N ). 

We recall a class of path formulas for which the model checking problem is decidable. This 
class was originally defined in [Yen 1992], but the model checking procedure in that paper 
had an error which was subsequently fixed in [Atig and Habcrmchl 2009]. For simplicity, 
our definition below captures only a subset of the path formulas defined in [Yen 1992], but 
this subset is sufficient to specify termination. 

Fix a PN N — (S, T, F, m t ). Let /ii, /i2, ... be a family of marking variables ranging over 
N s and <7l , 02, . . . a family of transition variables ranging over T* . 

Terms are defined recursively as follows: 

— every c € N s is a term; 

— for all j > i, and marking variables fij and fii, we have fij — fii is a term. 

— 71 + 72 and 71—72 are terms if 71 and 7i are terms. (Consequently, every mapping 
c e Z s is also a term) 

Atomic predicates are of two types: marking predicates and transition predicates. 

Marking predicates. There are two types of marking predicates. The first type consists 
in the forms 71 (pi) = %(s>2.), T\{p\) < 72(^2), and 71 (pi) > 72(^2), where 71 and T2 
are terms and pi,P2 S S are two places of N. The second type consists in the forms 

> z and fi(p) > z, where fi is a marking variable, p € S, and z G Z. 
Transition predicates. Define the inner product (g> : Z T x Z T — > Z T as Ci ® C2 = 
X^teT c iW ' c 2(i)- f° r c i> c 2 € Z T . A transition predicate is either of the form 
Parikh(eri)(£) < c, where c G N and t £ T, or of the forms y ® Parikh(<7i) > c and 
y ® Parikh(tr i ) < c, where i > 1, c € N, y € Z T , and (8) denotes the inner product as 
defined above. 

A predicate is a finite positive boolean combination of atomic predicates. A path formula 
A is a formula of the form: 

, ... , Li m 3ai , . . . , a m : (m l [<7i) fix [a 2 ) . . . [a m ) jj, m ) A • • • 

where $ is a predicate. A path formula A is increasing if $ implies /ii < fi m (where fj,j < fij 
for i < j is an abbreviation for /\ pe g(^j — > ( — 1 S )(p)) and contains no transition 

predicate. The size of a path formula is the number of symbols in the description of the 
formula, where constants are encoded in binary. 

The satisfiability problem for a path formula A asks if there exists a run of N of the 
form m, [wi) mi [102) ■ ■ ■ m m „i [w m ) m m for markings mi, . . . , m m and transition sequences 
Wi, . . . , w m G T* , such that $(mi, . . . , m m , ioi, . . . , w m ) is true. If A is satisfiable, we write 
N |= A. 

Theorem 6.7. (7rom /C4% and Habermehl 2009]) 

— The satisfiability problem for a path formula is reducible in polynomial time to the reach- 
ability problem for Petri nets. Hence, the satisfiability problem is EXPSPACE-hard. 

— The satisfiability problem for an increasing path formula is EXPSPACE-complete. 

We know define our reduction of the termination problem to the satisfiability problem 
for an increasing path formula. 

Remark 6.8. Without loss of generality, we assume that in ^3, the set m of initial 
pending handler instances is given by the singleton [ao] for some ao G £ and ao is never 
posted. 
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Lemma 6.9. Let be an asynchronous program and let (Nm,m t ) be an initialized PN 
as given in Constr. 1. Let A t be the path formula given by 

3/ii,/i 2 : 3(7i, cr 2 : (m, [crt) Mi [02) M2) A/ii<^A^® Parikh((T2) > 1 . 

We have (N<^,m % ) |= A t i/jf (iVsp, m,) /ias an infinite ty-run. 

Proof. Let us first give a few facts about A t : 

— Fact 0: A t is polynomial in the size of (Nm, rrij). 

— Fact 1: T,p <g> Parikh(<7 2 ) > 1 implies that ct 2 € • T<p • because it requires that some 
transition of is fired along cr 2 ; 

— Fact 2: /ii < /i 2 implies the sequence of transition given by o~ 2 can be fired over and over. 

Let us now turn to the proof. 

Only if: Let mi, m 2 , ui\ and u> 2 be a valuation of /ii, /i 2 , o\ and ct 2 respectively such 
that A t is satisfied. Fact 1 shows that u> 2 ^ e and Parikh(u; 2 )(£) > for some t € Tqj. Then 
Fact 2 shows that m, [wi) nil [u>2 ) is an infinite *}3-run of Nm and we are done. 

If: Let p be an infinite *P-run of (iV<p, m,). By definition of infinite *P-run, /? can be written 
as mo [wq) mi . . . m„ [u; n ) . . . where mo = m, and for each k > 0, we have Wk & ■ 1™. 
By Dickson's Lemma [Dickson 1913], there exists two indices i < j in the above infinite run 
such that m, ^ m^. Let a x — w . . . u>j_!, cr 2 = Wi . . . Wj, fix = m, and /x 2 = m J+ i. Clearly 
Mi ^ M2- Also we have that er 2 7^ £ because some transition of is in each Wk, and hence 
Tjp Cg) Parikh(<7 2 ) > 1- Thus, every conjunction of A t is satisfied. I 

Proposition 6.10. Given an asynchronous program , determining the existence of an 
infinite run is EXPSPACE-complete. 

PROOF. As expected our decision procedure relies on reductions to equivalent PN prob- 
lems. We start by observing that the PN Nm can be computed in time polynomial in the size 
of *p. Lem. 6.5 shows that *p has an infinite run iff (iVtp,mj) has an infinite *P-run. Next, 
Lem. 6.9 shows that determining whether (iVrp, m 4 ) has an infinite *}3-run is equivalent to de- 
termining the satisfiability of (Nm, m,) |= A t where A t can be computed in time polynomial 
in the size of Nm. The formula A t is not an increasing path formula because it contains a 
transition predicate (T^ fg) Parikh(a 2 ) > 1). However the problem instance (Nm., m l7 A t ) can 
easily be turned into an equivalent instance {Nm, m^, A^) that is computable in polynomial 
time and such that A' t is a increasing path formula. This is accomplished by adding a place 
p w to which a token is added each time some transitions of is fired. Then it suffices to 
replace T<p <8> Parikh(cr 2 ) > 1 by (p.2 ~ ^i)(Pw) > S (p w )- It is routine to check that A' t is a 
increasing path formula. 

Finally, the result of Thm. 6.7 together with the fact that A' t is an increasing path formula 
shows that the satisfiability of (NL, m[) \= A' t can be determined in space exponential in the 
size of the input. Therefore we conclude that determining the existence of an infinite run in 
a given has an expspace upper bound. The expspace lower bound follows by reduction 
from the termination of simple programs [Lipton 1976]. Indeed, the construction of [Lipton 
1976] (see also [Esparza 1998]) shows how a deterministic 2 2 -bounded counter machine of 
size 0(n) can be simulated by a Petri net of size 0(n 2 ) such that the counter machine has 
an infinite computation iff the Petri net has an infinite execution and this construction is 
easily adapted to use asynchronous programs. I 

6.3. Fair Termination 

We now turn to fair termination. 
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Lemma 6.11. Let be an asynchronous program and let (jVtp,ixij) be an initialized PN 
as given in Constr. 1. Let Aft be the path formula given by 

3^i,/x 2 ,Ai 3 : 3cti, 02,0-3: m l [<J\) m [02)^2 [03} M3 
T<p ® Parikh(o-i) < A /x 2 < M3 A T$ ® Parikh(cr 3 ) > 1 

Aa6s( c a ® Parikh(cr 3 ) = 0^ ((p„ - c„) ® Parikh(cr 2 ) = A p Q ® Parikh(o 3 ) = 0)) 

•where c a ,p a g M[T<p] are s.t c a (t) = L(t)(a) and p a (t) = 0(t)(a) /or every i G Tm. We 
have 

(AAp,m.j) |= A/j iff (JVtp,m t ) /ias a fair infinite run. 

Proof. As for termination (see Lem. 6.9) we start with a few facts about Af t : 

(1) For the sake of clarity we used an implication in Aft. However the equivalences A 

B = -^A V B and c a eg) Parikh(o- 3 ) ^ = c a eg) Parikh(o3) > shows that the above 
predicate is indeed a positive boolean combination of atomic predicates, hence Aft is 
indeed a path formula. 

(2) Af t is polynomial in the size of the PN. 

(3) Trp eg) Parikh(o-i) < ensures that o\ — e, hence that Hi = m,. The reason for this is 
to be able to use the more expressive transition predicate starting right from the initial 
marking. 

(4) /J-2 < A*3 implies the sequence of transition given by 03 can be fired over and over (by 
monotonicity). 

(5) T& ® Parikh(o 3 ) > 1 ensures that u 3 eT^T^ as for termination. 

(6) The last conjunction ensures that each a 6 £ is treated fairly. Intuitively, it says that if 
03 does not dispatch a £ £ (given by c a eg) Parikh(o- 3 ) = 0) then it must hold that (i) a 
has been posted as many times as it has been dispatched along ct 2 (given by (p n — c a ) eg) 
Parikh(o- 2 ) = 0), and (ii) 03 is not posting any call to a (given by p a eg) Parikh(o3) = 0). 
Together, this means that there is no pending call to a along the execution. 

We now turn to the proof. 

Only if: Let m^, m M3 , «j 2 and W3 be a valuation of /i 2 , M3? u % an( i a 3 respectively such 
that Aft is satisfied. Note that by Fact (3) we know that since Aft holds we have u\ = e. 
Hence we find that vi\ l \w 2 ) [w 3 ] m M3 where w 3 6 • T& ■ by Fact (5). Then Fact 
(4) shows that the run p given by m l [1V2) ni M2 [w 3 ) is an infinite ^-run of (Nm, m t ). 

Let us now show p is also a fair infinite run. We first rewrite p as 
m [t ) mi • • • [U-i) [U) . . . where m = m t , w 2 = t . . . U-x and w% = Ut l+1 . . . 
So we have that = m M2 . 

Our final step is to show that p matches a fair infinite run in (AT<p,mj). By hypothesis, 
Aft holds, so each implication holds. Fix a g S. We examine what the satisfaction of the 
implication entails. 

(a) Assume that the left hand side of the implication does not hold. This means that W3 
fires some t € , that is, some t£ occurs infinitely often along w 3 , and the run is fair 
w.r.t. a. 

(b) If the left hand side of the implication holds, it means that no T<^ a ' is fired along 

1U3, hence tj € T^ a ^ holds for finitely many i's in p. Because the implication is satisfied, 
Fact (6) shows that, along w 2 , a is posted as many times as it is dispatched. 

We conclude from Remark 6.8 and m l (a) = 0, that nij(a) = m M2 (a) = 0, hence that for 
every position j > i we have m 3 (a) = 0, namely nij(a) = holds for infinitely many j's. 
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We conclude from the above cases that for every a 6 E, we have that if t t G T^ a) for 
finitely many i's then mj(a) — for infinitely many j's, namely p is a fair infinite run and 
we are done. 

If: Let p = mo [to) mi [t\) . . . [U-i) m^ [ti) . . . where mo = m, be a infinite fair run of 
(iVm, irij). By definition we find that p is an infinite *}3-run and that for all a G E, if 

ti € T^°^ for finitely many i's then m.j(a) = for infinitely many j's. Define S to be the 

set {a G E | ti G T^ (q) for finitely many i's}. Let m denote a positive integer such that for 

all n > to we have t n G Trp \ UaeS-^p • Observe that, because the run is fair, for every 
a G S and for all n> to, we have m„(a) = 0. 

Let us now rewrite p as m [to) mi . . . m m [i m ) m io [wi ) [u^) . . . such that m = m z 

and for all a G E \ S 1 some T^. occurs in for all j > 0. 

Now using Dickson's Lemma [Dickson 1913] over the infinite sequence 
m, , tHi 1 , . . . , THi n) . . . of markings defined above we find that there exists I > k 
such that mi fc ^ m^. 

Define (Ti = e, (7 2 = t . . . t m w lQ . . . w,^;, a 3 = w ik . . . Wi t _ 1} fii = m l; fi 2 = m lfc and 
fi3 = m^. Clearly p 2 < P3 and T«p ® Parikh(cri) < 0. Also, some transition of occurs in 
o"3 by definition of w^. , hence we find that T<p ® Parikh(a3) > 1. 

Let a G E. The implication c a ® Parikh(cr 3 ) = — > ((p„ — c a ) (g) Parikh(cr 2 ) = A p a ® 
Parikh(<r 3 ) = 0) is divided into two cases. 

First, if a G S 1 then we find that no T^°^ occurs after t m . In particular no I^j occurs in 
(T3 and the left hand side of the implication holds. We now show that so does the right hand 
side. We showed above that m„(a) = for every n > m. By Rmk. 6.8, initially m, = [ao] 
and ao never reappears in the task buffer. So, we find that (p a — c a ) ® Parikh(cr2) = holds. 

Also p a ® Parikh((i3) = holds because m„(a) = for each n > m and no T^ a ^ occurs in 
(73, hence no post of a can occur in <t 3 . 

Second, if a G E \ 5 then we find that some T^ a ' > occurs along 03 by definition of the 
Wi j 's. Therefore the implication evaluates to true because its left hand side evaluates to 
false. 

This concludes the proof since every conjunction of Af t is satisfied. I 

Remark 6.12. Aft is not an increasing path formula because we cannot conclude it implies 
Ml — M3- Since o\ = e, for p\ < to hold we must have m, < p^. Because of Rmk. 6.8 it 
is clearly the case that m 2 % /i 3 since m l = [ao] and a is first dispatched and never posted 
eventually. 

We now show a lower bound on the fair termination problem. Given an initialized Boolean 
PN (N — (S,T, F),m ) and a place p G P, we reduce the problem of checking if there 
exists a reachable marking with no token in place p (which is recursively equivalent to the 
reachability problem of a marking [Hack 1976]) iff an asynchronous program constructed 
from the PN has a fair infinite run. For the sake of clarity, let us index S = {pi, . . . ,P\s\} 
and assume that pi plays the role of place p in the above definition. 

Fig. 5 shows an outline of the reduction from the reachability problem for PN to the fair 
termination problem for asynchronous programs. The reduction is similar to the simulation 
shown in Fig. 4. In particular, we again define a global state st, a procedure runPN to fire 
transitions, and \S\ procedures, one for each p, G S. 

The program has three global variables, two booleans terminate and p_l_isjnull and 
the variable st which ranges over a finite subset of (TU{e}) x S* . The program has \S[ +3 
procedures: one procedure for each pi G S, main, guess and runPN. The role of main is to 
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initialize the global variables, and to post runPN and guess. As before, the role of runPN 
is to simulate the transitions of the PN. The role of guess is related to checking whether 
there exists some marking m g [mo) such that m(pi) = 0, and is explained below. 

The program of Fig. 5 preserves the same invariant as the program of Fig. 4 and is as 
follows. Whenever the program state is such that st coincides with (i, e) for some t £ TU{e} 
we have that the multiset m given by the pending instances to handler p 6 S is such that 
m £ [mo) and there exists w £ T* such that mo [w ■ t) m. 

We now explain the role played by procedure guess and the variables p_l_isjnull and 
terminate. After the dispatch of main, guess is pending. As long as guess does not run 
the program behaves exactly like the program of Fig. 4. That is, runPN selects a transition 
which, if enabled, fires. Once the firing is complete runPN selects a transition, and so on. Now 
consider the dispatch of guess which must eventually occur by fairness. It sets p_l_is_mill 
to true. This prevents runPN to repost itself, hence to select a transition to fire. So the 
dispatch of guess stops the simulation. Now we will see that if the program has an infinite 
run then the dispatch of guess has to occur in a configuration where (i) st £ (TU{e}) x {e} 
and (ii) the marking m corresponding to the current configuration is such that m(pi) = 0. 
For (i), we see that if the precondition of st does not equal e then terminate is set to 
true in guess, hence every dispatch that follows does not post, and the program eventually 
terminates. For (ii), suppose that guess runs and that in the current configuration there is 
a pending instance to p\ . By fairness we find that eventually p\ has to be dispatched. Since 
guess has set p_l_is_null to true we have that the dispatch of p\ sets terminate to true 
and the program will eventually terminate following the same reasoning as above. So if the 
program has a fair infinite run then it cannot have any pending instance of handler pi after 
the dispatch of guess. The rest of the infinite run looks like this. After the dispatch of guess 
we have that runPN is dispatched at most once. Every dispatch of a pt for i £ {2, . . . , \S\} 
will simply repost itself since st has an empty precondition and the value of terminate is 
false. This way we have a run p with infinitely many dispatches and no effect: p leaves the 
program in the exact same configuration that corresponds to a marking m £ [mo) such that 
m(pi) = 0. Notice that if current configuration of the program corresponds to the marking 
m = we have that m(pi) = but the program terminates. We can avoid this undesirable 
situation by adding one more place p 9 to the PN such that it is marked initially and no 
transition is connected to p 9 . 

Let us now turn to the other direction. Suppose there exists w £ T* such that mi [w) m 
with m(pi) = 0. The infinite fair run of the asynchronous program has the following form. 
The invariant shows that the program can simulate the firing of w and ends up in a con- 
figuration with no pending instance to handler p\ and such that the precondition of st is 
e. Then guess is dispatched followed by a fair infinite sequence of dispatch for pi where 
i £ {2, . . . , \S\}. Because of st the dispatch of Pi has no effect but reposting pi. So we have 
a fair infinite run. 

This shows that the fair termination problem is polynomial-time equivalent to the Petri 
net reachability problem. 

The reduction also suggests that finding an increasing path formula for fair termination 
will be non-trivial, since it would imply that Petri net reachability is in expspace. 

Proposition 6.13. Given an asynchronous program *p, determining the existence of a 
fair infinite run is polynomial-time equivalent to the reachability problem for PN. Hence, it 
is EXPSPACE-ftard and can be solved in non-primitive recursive space. 

Proof. As in Prop. 6.10 our decision procedure relies on reductions to equivalent PN 
problems. Define iV<p to be the PN given by N<$(N). Lem. 6.5 shows that *}5 has a fair infinite 
run iff so does (iVm, rrij). Next, Lem. 6.11 shows that determining whether (iV«p,mj) has 
a fair infinite run is equivalent to determining the satisfiability of (iV^m,) |= Af t where 
Aft is computable in time polynomial in the size of Nrp. Finally, Th. 6.7 shows that the 
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global st, p_l_is_null, terminate; 

main() { 

st= (e,e); 

p_l_is_null=f alse; 
terminate=f alse; 



} 



post runPN(); 
post guess(); 



guess() { 

p_l_is_null=true: 
if (st£(TU{e})x{e}){ 
terminate=true; 

} 

} 

runPN() { 

if p_l_is_mill==f alse { 

if(ste(TU{e})x{ £ }){ 
pick t' eT non det.; 

Bt=(f,J(f)); 

} 

post runPN(): 

} 

} 

Initially: m © [main] 



piQ{ 

if p_l_is_null==true { 
terminate=true; 

} else { 

if st==(i,pi • w') { 
st=(t. w'); 
if w'==e { 

for each j G {1, \S\} do { 
ifO(t)(p i )>0{ 
post pj(); 

} 

} 

} 

} else { 

if terminate == false { 
post pi(); 

} 

} 



} 



} 



p i (){//for«e{2 ! ...,|5|} 
if st==(i,pi • w') { 
st={t,w'); 
if w'==s { 

for each j e {1, do { 
ifO(t)(p i )>0{ 
post 

} 

} 

} 

} else { 

if terminate == false { 
post piQ; 

} 

} 

} 

Fig. 5. Let (N = (S,T,F),m ) be an initialized Boolean PN such that pi e S and Vt £ T: |J(t)| > 0. 
3m 6 [mo) : m(pi) = iff the asynchronous program has a fair infinite execution. 



satisfiability of (Ny,m z ) |= Aft is reducible to a reachability problem for PN. The best 
known upper bounds for the reachability problem in PN take non-primitive recursive space. 
Therefore, we conclude that determining the existence of a fair infinite run in a given ^ 
can be solved in non-primitive recursive space. 

The lower bound is a consequence of (1) the reduction from the reachability problem for 
PN to the fair termination problem for asynchronous program given at Fig. 5 and (2) the 
expspace lower bound for the reachability problem for PN. I 
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6.4. Fair starvation 

Recall that the fair starvation property states that there is no pending handler instance 
that is starved (i.e. never leaves the task buffer) along any fair infinite run. 

In order to solve the fair starvation problem, we first define Constr. 2 which modifies 
Constr. f by introducing constructs specific to the starvation problem. In what follows, we 
assume that the assumption of Rmk. 6.8 holds. 

We first give some intuition. A particular pending instance of handler a starves if there 
exists a fair infinite execution such that from some point in time — call it f — there exists 
an instance of handler a in the task buffer and it never leaves it. Because the run is fair and 
there exists at least one instance of handler a in the task buffer, we find that a is going to 
be dispatched infinitely often. In this case, a particular instance of handler a never leaves 
the task buffer iff each time a dispatch to a occurs the task buffer contains two or more 
instances of a. 

In order to capture infinite fair runs of an asynchronous program that starves a specific 
handler a, we modify the Petri net construction as follows. The PN has two parts: the 
first part simulates the asynchronous program as before, and the second part which also 
simulated the asynchronous program ensures that an instance of handler a never leaves 
the task buffer. In order to ensure that condition, the Petri net simply requires that any 
dispatch of a requires at least two pending instances of a rather than just one (as in normal 
simulation), and the dispatch transition consumes one instance of a and puts back the 
second instance. The Petri net non-deterministically transitions from the first part of the 
simulation to the second. The transition point serves as a guess of time point f from which 
the task buffer always contains at least pending instance of handler a. We now formalize 
the intuition. 

Construction 2 (Petri net for fair starvation). Let <p = (D,Y,,G,R,d ,m ) 
be an asynchronous program. Let Af+ = {iV*} ce g- and N* = (S?,T*,F*) be an adequate 
family of widgets. 

Let a € S. Define C a to be the set €(l(Dx {a} x D) and (iVnj(.Af*), m£) to be an initialized 
PN where (1) Nm(J\f*) = (Sqj, T<$, .Kp) is given as follows: 

-Sy =DUHU\J cec S*U{p f ,p 00 } 

~T V = {t f/oc } U U ce£ T* U {t<} cWa U {t<f,tf°°} c&€a U {t>} ce£ 
— Ftp is given by 





<b/J,booJ) 




Wtf) = 


([d 1 ,&],[(k»in,c)]> 


c = (d x ,b,d 2 ) e £\<£ a 




([rfi,a,p/l, {(begin, c),p f l) 


c = (di,a,d 2 ) e £ a 


F v (t<°°) = 


([^,0,0, poo], [(begin, c), a, poo]) 


c= (di,a,d 2 ) G £ a 


F v (t) = 




ter* 


F*p(t>) = 


([(end, c)], [da]) 


c = (di,b,d 2 ) e £ 



and (2) m[ = [do,p/] © m . 

In an execution of the PN, the occurence of transition t^°° corresponds to the Petri net's 
transition from the first mode of simulation to the second, i.e., the guess of the point f in 
time from which an instance of a never leaves the task buffer. 

In what follows we use the notation N& to denote an adequate family N{p(Af*). 

Lemma 6.14. Let *p be an asynchronous program and let Af = {N c } cei r be an adequate 
family. Define (iV<p,mj) to be the initialized PN (jVrp(7V), nij) as in Constr. 1 and given 
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a € E define (N^,m[) to be the initialized PN (iVqj(,Af),in£) as in Constr. 2 Let the path 
formula A% given by 

3jUi,M2,M330i, 02,03: [01) jUi [o 2 ) P2 [0-3) 

Tqj ® Parikh(oi) <0Ap 2 < p 3 A T^ (a) ® Parikh(o 3 ) > 1 A p //o °] ® Parikh(o 2 ) >0 

A 6eE (cb ® Parikh(cr 3 ) = ->• ((p 6 - c b ) ® Parikh(o 2 ) = 0Ap t ® Parikh(cr 3 ) = 0) 

where Chit) = I(t)(b) and Pb(t) = 0(t)(b) for every t € Tip. 
We /lave 

(JV£, m'J |= A^ s iff (%, mj /cwfy stories a 

Proof. If: (iVrp,m 2 ) fairly starves a implies the existence of a fair infinite run p = 
mo [to) mi [ti) . . . and an index J > such that for each j > J we have mj(a) > 1 A (tj € 

7| (a) -f mj (o) >2). 

To show p yields the existence of a run p' in (iVm, which satisfies Aj s , we first define 
a set of positions in p as we did in Lem. 6.11 for fair termination. Let b £ E, we define to,;, 
such that if every transition in occur finitely often then is greater than the last 

such occurrence; else (some t € occur infinitely often) mj = 0. Define m to be the 

maximum over { J} U {m;, | fee E}. 

Let us now rewrite p as the following infinite run 

m [t ) mi . . . m m [i m ) m io [w io ) m il [w^) ... (4) 

such that for every b 6 E if some £ 6 occurs infinitely often then that i occurs in each 

Wij for j > 0. 

Our next step is to associate to p a counterpart p' in (i\fi,mQ. The run p from Eqn. 4 
is associated with the trace p' given by 

m ®[p/l [*o> ■ • ■ m m ®[ P/ ] [O m io ®[p/] [< //oo J> m, ffi[ Pco ] [Om.fflW . . . 

where m 2 = m , m^ = m ® [p/]- p' is such that before the occurrence of ^/°°, if = << 
where c£ f then = ; else (c € £\ £ a ) f ■ = ti. Moreover after the occurrence of t^°° , 
if U = t< where c£f then t[ = i<°°; else ^ = tj. 

Since to > J and p fairly starves a, we deduce that for every j > m we have m 3 (a) > 1 

and tj e —> mj(a) > 2. This implies that the transitions of the form tf°° which occur 

after t^°° only, hence after to, are enabled because their counterpart t c in N<p is enabled 
in p. Hence we conclude that p' is a run of (iVm, mQ, 

Now using Dickson's Lemma [Dickson 1913] over the infinite sequence 
mj , m.^, . . . , va.i n) . . . of markings defined above we find that there exists I > k 
such that m ifc ^ m^ . 

Finally, let o x = e, o 2 = i . . . C* //a X a . . . , a 3 = w' lk . . . tu^_ i , pi = ra„ p 2 = m lfe 
and p 3 = m;,. Clearly p 2 < p 3 , T<p ® Parikh(oi) < and [i //o °] <8> Parikh(o 2 ) > 0. We 
conclude from m^(o) > 1 for all £ > m and because p is fair that some 7^° must occur 
infinitely often, hence that it occurs in w - for all j > 0, and finally that T^ (a) <g>Parikh(o 3 ) > 
1 by definition of 03. Finally let b £ E, the implication eg Parikh(o 3 ) = — > ((pb — c&) ® 
Parikh(o 2 ) = 0Apb<X>Parikh(er 3 ) = 0) holds using arguments similar to the proof of Lem. 6.11. 
This concludes this part of the proof since every conjunction of A" s is satisfied. 
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Only if: The arguments used here are close to the ones of Lem. 6.11. Let m M2 , m M3 , 
W2 and u> 3 be a valuation of /12, P-3, o~2 and cr 3 respectively such that A? s is satisfied. 
Tfp (g) Parikh(cri) < shows that o\ — e. Hence we find that m, [w-z) m M2 [u> 3 ) m M3 where 
w 3 € (T<p)* • T^ (a) • (T<p)* because T^ (a) © Parikh(cr 3 ) > 1 holds. Then ^ 2 < /i 3 shows that 
the run p given by m, [W2) m /x 2 [^3 ) is an infinite run of (JV$,mi). P //o °] © Parikh(cr 2 ) > 
where F<^(t^°°) = ([p/], [Poo]) shows that the token initially in moves to Poo while W2 
executes. 

Our next step is to show that p matches a run p' in (iVrp, m 4 ) which fairly starves a. By 
hypothesis, A" s holds and so does each implication. Let b € S, we examine the satisfiability 
of the implication. 

(a) Assume that the left hand side does not hold which means that W3 fires some 
that is some occurs infinitely often along u> 3 . 

(b) If the left hand side of the implication holds we find that no is fired along 103, 

hence i, £ holds for finitely many i's in p. Observe that b ^ a because we showed some 

T^ a ^ fires infinitely often in p. Because the implication is satisfied, along W2, b is posted as 
many times as it is dispatched. 

Hence, using similar arguments as those of Lem. 6.11 that we will not repeat here, we 
find that p' is a fair infinite run. 

Also since ® Parikh((72) > holds, we find that t^°° occurs in u>2- This together 

with the fact that some transition of T^°^ fires infinitely often in iu 3 implies that each time 
a token is removed from a (through some t for some c) at least one token remains, hence 
nij(a) > 2 before a token is removed from a, hence p fairly starves a. 

Our last step shows that p has a counterpart p' in (A^rr^) and p' is fairly starving a. 
Let us define pf by abstracting away from p the places {p/,Poo} and the occurrence of t^°° . 
Clearly p' is an infinite run of (iV<p,m,) fairly starving a. I 

Proposition 6.15. Given an asynchronous program ty, determining the existence of a 
run that fairly starves some a £ S is polynomial-time equivalent to PN reachability. Fair 
starvation for asynchronous programs is EXPSPACE-hard and can be solved in non-primitive 
recursive space. 

Proof. As in Prop. 6.13 our decision procedure relies on reductions to equivalent PN 
problems. Fix N& to be the PN given by N^(Af). Lem. 6.5 shows that has a run that 
fairly starves some a £ S iff so does (A^jHij). Next, Lem. 6.14 shows that determining 
whether (A^rrij) has a run that fairly starves a given a £ E is equivalent to determining 
the satisfiability of (iVS,m() \= A" s where Nfh and m', are given as in Constr. 2. The 
reduction from the problem of determining if fairly starves to the problem of checking 
whether (N^, m') |= AJ S holds can be carried out in polynomial time. 

Finally, Th. 6.7 shows that the satisfiability of (N^,m[) \= AJ S is reducible to a reacha- 
bility problem for PN which can be solved using non-primitive recursive space. Therefore, 
we conclude that determining the existence of a run that fairly starves a for a given ^ and 
a G S can be solved using non-primitive recursive space. 

The lower bound is established similarly to the reduction for fair termination (see the 
asynchronous program *p of Fig. 5). Let us recall some intuition. After a finite amount of 
time, *P guesses that the current state of the task buffer has no pending instance to p±. If 
the guess is wrong, *p will eventually terminate. If the guess is correct then the program will 
enter into a fair infinite run p. We can massage so that p is a fair infinite run starving a 
given handler p^. Initially, the task buffer contains one pending instance to a special handler 
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P4,. If terminate is false, then p^ posts itself twice; otherwise it does not do anything. This 
guarantess that if incorrectly guesses when pi is empty, then the number of pending 
instance to p^ will eventually be and *p will terminate as above. Otherwise, if correctly 
guesses when p\ is empty, the number of pending instances of p^ will grow unboundedly, 
therefore preventing some pending p^ to ever complete. The EXPSPACE-hardness follows 
from the corresponding hardness for Petri net reachability. I 

7. EXTENSIONS: ASYNCHRONOUS PROGRAMS WITH CANCELLATION 

The basic model for asynchronous programming considered so far allows posting a handler, 
but not doing any other changes to the task buffer. In practice, APIs or languages for asyn- 
chronous programming provide additional capabilities, such as canceling one or all pending 
instances of a given handler, and checking if there are pending instances of a handler. For 
example, the node . j s library for Javascript allows canceling all posted handlers of a cer- 
tain kind. A model with cancellation can also be used to abstractly model asynchronous 
programs with timeouts associated with handlers, i.e., where a handler should not be called 
after a specific amount of time has passed since the post. 

We now discuss extensions of asynchronous programs that model cancellation of handlers. 

7.1. Formal model 

We now give a model for asynchronous programming in which the programmer can perform 
asynchronous calls as before, but in addition can cancel pending instances of a given handler. 
Informally, the command cancel /() immediately removes every pending handler instances 
for / from the task buffer. 

To model this extension, wc define an extension of asynchronous programs called asyn- 
chronous programs with cancel. The first step is to associate to every handler / an additional 
symbol /, which intuitively represents a cancellation of handler /gE. 

Let E be the set ofhandler names, we denote by E a distinct copy of E such that for each 
a G E we have a G E. So in the settings with cancel, an asynchronous program defines an 
extended alphabet T = S^UEUS which respectively model the statements, the posting and 
cancellation of handler instances. We thus have that an asynchronous program with cancel 
*P = (D, EUE, Ej, G, R, do, m ) consists of a finite set of global states D, an alphabet SUE 
of for handler calls and cancels, a CFG G = (X 7 T,V), a regular grammar R = (D,F,5), a 
multiset m of initial pending handler instances, and an initial state d a G D. 

As with asynchronous programs without cancel, we model the (potentially recursive) code 
of a handler using a context-free grammar. The code of a handler does two things: first, 
it can change the global state (through R), and second, it can add and remove pending 
handler instances from the task buffer (through derivation of a word in (E U E)*). In fact, 
a symbol a G E is interpreted as a post of handler a and a symbol a G E is interpreted as 
the removal of all pending instances to handler a. 

The set of configurations of CP is given by D x M[E]. Observe it does not differ from 
asynchronous programs without cancel. The transition relation — s-C (J}xM[E])x (DxM[E|) 
is defined as follows: let m, m' G M[E], d,d' G D and a G E 

(d,me M) A {d',m') 

iff 

3w (zT* : d =>* w ■ d 1 A X a =>* w A V6 € E: *i(6) V # 2 (&) 

R G 

where ^i(b) is given by 

Bwi G T*3w 2 G (r \ {&})* : w = u>! ■ b ■ w 2 A m'(fe) = Parikh(u; 2 )(fe) 
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and ^2(b) is given by 

w € (r \ {&})* A m'(b) = m(b) + Parikh(w)(6) 

The transition relation — > states that there is a transition from configuration (d, m © [cr] ) 
to (<i',m') if there is an execution of handler a that changes the global state from d to 
d' and operates a sequence of posts and cancel which leaves the task buffer in state m'. 
A cancel immediately removes every pending instance of the handler being canceled. Note 
that contrary to the case without cancel the order in which the handler instances are added 
to and removed from the task buffer does matter. 

Finally, let us observe that asynchronous programs with cancel (D, EUE, E^, G, R, do, mo) 
define a well-structured transition systems ((D x M[£], C), — >, cq) where C is the ordering 
used for asynchronous programs: CC (D x M[E]) x (D x M[E]) is given by c C d iff 
c.d = c' .d A cm ^ c'.m. 

The safety, boundedness, configuration reachability and (fair) non termination problems 
for asynchronous programs with cancel are defined as for asynchronous programs (without 
cancel) . 

7.2. Construction of an equivalent asynchronous program 

Similarly to what we have done for Lem. 4.5 we now give a simpler yet equivalent semantics 
to asynchronous programs with cancel. To compute the task buffer content after the run 
p of a handler h, the following information is needed: (i) the current content of the task 
buffer, (m) the set of cancelled handlers along p, and (Hi) for each handler b G E the number 
of posts to b that are still pending after p, that is the number of posts to b that have not 
been subsequently neutralized by a cancel to b. 

Intuitively, our construction uses the following steps. 

First, using the construction of Def. 4.2, we eliminate the need to carry around internal 
actions and the regular grammar R. We get a CFG G R as a result of this step, and for 
each context c = (d,a,d'), we get the initialized CFG G c using Def. 4.4. Remember that in 
G R and G c , the alphabet is E U E, that is, both posts and cancels are visible. 

Now, consider a run of G c . For each handler a, we want to remember how many posts to 
a were issued after the last call (if any) to cancel a, and also to remember if a cancel to a 
was issued in the handler along the execution. To update the task buffer, for each handler 
a for which no cancel was issued, we proceed as before and add all the new posts of a to 
the buffer. For each handler a for which a cancel was called, we first remove all pending 
instances of a from the task buffer, and then add all instances of a posted after the last 
issuance of a cancel. We now give a formal construction that takes any grammar G and 
computes a new grammar from which we can get these two pieces of information. 

Let G = (X, E U E,"P) be a CFG. Define the reverse r(G) = (A\E U E,P) as the CFG 
where V is the least set containing the production X — > a for each X — > a in V and the 
production X — > BA for each production X — > AB in V . It is easy to see that for each 
X E X and each w € (E U E)*, we have X =>* w iff X =>■ * w r , where vf is the reverse of 

G r(G) 

W. 

Define the regular grammar C — (y, EUE,^), where y = {Y$ \ S C £}, and Vy consists 
of production rules Yg — > cYsu{c} f° r each S C E, and Yg — > cYg for each S C E. Intuitively, 
the regular grammar tracks the set of handlers for which a cancel has been seen. Formally, 
Y$ =>* wYg implies that for each 6 £ E, we have Parikh(w)(&) > iff b e S. 

Now, we construct a grammar r(G) x C = (Z,Y>,Vz\ where Z = 
{[Ys^^XYsz] | Yg 1 , Yg 2 € y, X e X}, and Vz is the least set of rules such that 

-if (X e) € V then [Y s XYs] -> e for all S C E; 

_if (X -+ c) e V, c e E U E and (Y s -> cY s >) € Py, then -> Proj EVS (c)) G 
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■if (X -> AB) G and then ([y So Xy S2 
Si C S 2 C E. 



[y So ^y s j[y Sl sy S2 ]) g p z for each s c 



Intuitively, a leftmost derivation of the grammar generates derivations of words in r(G) while 
tracking which symbols from E have been seen. Additionally, it suppresses all symbols in E 
as well as all symbols c G E such that c has been seen. Formally, the grammar r(G) x C has 
the following property. The proof is by induction on the derivation of w, similar to Lem. 4.3. 

Lemma 7.1. For w G E* and S C S, !«e /iai>e [ygXYs] * w iff there exists w' G 

r(G)xC 

(E U E)* sitc/i that X =>* w/ and for each b G E, we /lave either w' G (E U E \ {o})* and 

G 

Parikh(w;_)(6) = Parikh(u/)(6) and6 ^ S, or (%) tfiere existed G (SUE)*, w 2 G (EUE\{6})*, 
it)' = Wibw'2, and Parikh(u>)(6) = Parikh(w 2 )(o) and b G S. 

Lem. 7.1, when instantiated with the grammar G c , provides the following corollary. 

Corollary 7.2. LetVfi be an asynchronous program with cancel, and let m, m' G M[E]. 
For c — (di,a, d 2 ) G £, let G c be defined as in Def. 4-4 (with E replaced by E U Y,). The 
following statements are equivalent: 

(1) (4m®W)4 (d 2 ,m') 

(<2) 3w £ S* : [y0[diA" CT d2]ys] * w and /or a// 6 G E, we kw 

r(G<=)xC 



m'(6) 



m(6) + Parikh(w)(6) i/6£S 
Parikh(V)(o) ifbeS 



Proof. We have 

(di,meM)4(di,mO 
iff 3w G (E U E)* : [diX CT d 2 ] 

/ 

iff 

V6e E: m'(6) 



G' 



to A V6 G E: *i(6) V * 2 (o) 



3u> G E*35 C E: [y [diX CT d 2 ]y s ] w 

r(G-)xC 

and 



V 



Parikh(w)(o) if b G S and 

m(6) + Parikh(w)(fo) otherwise 



/ 



def. of — > and G c 



Lem. 7.2 



7.3. PN with reset arcs 

Let us now introduce an extension of the PN model which will serve to model the semantics 
of asynchronous programs with cancel. 

Definition 7.3. A Petri net with reset arcs, PN + R for short, is a tuple (S,T,F = 
(1,0, Z), mo) where 5, T and F are defined as for PN except that F is extended with 
a mapping Z such that Z(t) C S for each t G T. As for PN, mo G M[S] defines the initial 
marking. 

Semantics. Given a tuple (S, T, F, mo), and a marking m e M[S*], a transition < G T is 
enabled at m, written m [t), if /(i) X m. We write m [t) m' if transition t is enabled at m 
and its firing yields to marking m' defined as follows: 

(1) Let mi be such that mi © I(t) = m. 

'0 iipeZ(t) 



(2) Let m 2 be such that m 2 (p) = 



mi(p) else. 
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(3) m' is such that m' = m.2 ®0(t). 

The semantics as well as the boundedness and coverability problems naturally follows from 
their counterpart for PN. Note that if Z(t) = for each t E T, then N reduces to a PN. 

Theorem 7.4. [Dufourd et al. 1998] The coverability problem for PN + R is decidable. 
The boundedness problem and the reachability problem for PN + R are both undecidable. 

7.4. PN + R semantics of asynchronous programs with cancel 

Definition 7.5. Let c = (d%,a,d 2 ) £ £, and let r(G c ) xC = (Z,Y,,V Z )- Define k = \Z\ 
and the PN + R N? = (S£,T?,Ff) such that: 

-S* = {(begin, c), (end,c)} U Z U {($,c)} U S; 

— the sets T* and FJ" are such that t e iff one of the following holds 

F*(t) = ([( e 5 m,c)], {[Y^X^Ys,]} © [($, c) fe ], for each SjCS 

F*(t) = (IX, ($, c)l \Z, Yj, 0) (X -> Z • Y) € 

= ([X],Parikh(ff)e[($,c)l,0) (X^cr) eV z 

F?(t) = (l($,c) k+1 U(end )C )U) 
Finally, define A/" 90 = {N?} ceZ . 

The following lemma is proved similar to Lem. 5.9. 

Lemma 7.6. Let *}3 be an asynchronous program with cancel and let d,d' £ D and 
m, m' e M[S]. Define c = (d, a, d') € (£, we have: 

(d,m) A (d',m') jf/3w e (T*)*: ([(fcjm,c)] ffi m) ku)^ ([(end, c)] © m') . 

Construction 3. Let *p = (D, S U S, E^, G, R, do, m ) 6e an asynchronous program 
with cancel. Define (iVsp,mj) to be an initialized PN + R where (1) N<$ — (Srp,T<n,F<g) is 
given as follows: 

— the set SVp is given by D U £ U IJcec ^(T 

— the set T<p o/ transitions is given by Uceevf^c"} U U {^c*}) 

— Ftp is smc/i that for each c = (d\,a,d2) € £ we /iawe 

Fq J (t<) = ([d 1 ,a],[(6e 5 m,c)],0) 

%(ir) = *rcrr ) 

Fp(t>) = ([(end,c)],M,0) 

and m, = [do] © m . 

From the previous lemma, it follows that. 

Lemma 7.7. Let *}} be an asynchronous program with cancel and let (iVm,nij) be an 
initialized PN as given in Constr. 3. We have (d, m) is reachable in iff [d] © m is 
reachable in N<p from m 4 . 

7.5. Model checking 

We now summarize the status of model checking asynchronous programs with cancel. 
Theorem 7.8. 

(1) The safety (global state reachability) problem for asynchronous programs with cancel is 
decidable. 
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p'Q { II for p'eS 



if st == (t,p' ■ to) { 



st = (t, w); 



global st = (e, e); 



if w == e { 



for each p £ S do { 



runPN () { 

if st G (TU{e}) x {e} { 
pick t £ T non det.; 



ifpez(t) { 



cancel p(); 
} 

ifO(f)(p)>0{ 



st = (t,J(t)); 

} 

post runPN(): 

} 



post p(); 
} 

} 



Initially: m l © [runPN] 



} 

} else { 



post p'(); 
} 

} 



Fig. 6. Let N = (S,T,F = (I,O,Z),m ) be an initialized PN + R such that Vt £ T: |J(t)| > 0. JV is 
unbounded (that is [m l ) is infinite) iff the asynchronous program is unbounded. 

(2) The configuration reachability problem for asynchronous programs with cancel is unde- 
cidable. 

(3) The boundedness problem for asynchronous programs with cancel is undecidable. 

PROOF. Part (1) of Theorem. 7.8 follows from Thm. 7.4 and Lem. 7.7. 

To show configuration reachability and boundedness are undecidable, we use a reduc- 
tion similar to what we have previously seen at Fig. 4 for PN. We reduce the reachability 
and boundedness problems for PN + R to the configuration reachability and boundedness 
problems for asynchronous programs with cancel, respectively. The reachability and the 
boundedness problems for PN + R are both undecidable [Dufourd et al. 1998]. Our reduc- 
tion from the boundedness of PN + R is given at Fig. 6. We omit the details, which are 
similar to the construction for PN. The reduction for configuration reachability is similar. I 

We now show undecidability results when it comes to determine properties related to 
infinite runs. Our proofs use undecidability results for counter machines, which we now 
introduce. 

Definition 7.9. A n-counter machine C (nCM for short), is a tuple ({ci} 1<i<n , L, Instr) 
where: 

— each a takes its values in N; 

— L = {li, . . . , l u } is a finite non-empty set of locations; 

— Instr is a function that labels each location / £ L with an instruction that has one of the 
following forms: 

— I: Cj '■= Cj + 1; goto I' where 1 < j < n and I' £ L, this is called an increment, and 
we define Typelnst(7) = (inc,-,/'); 

— I: Cj := Cj — 1; goto V where 1 < j < n and V £ L, this is called a decrement, and 
we define Typelnst(7) = (dec,-,/'); 

— I: If Cj — then goto V else goto I" where 1 < j < n and I', I" £ L, this is 
called a zero-test, and we define Typelnst(Z) = (zerotest,-, I', I"); 

We define 2CM and 3CM as the class of 2-counter and 3-counter machines, respectively. 
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global loc=^i; 



main() { 
while (*) 
post J(); 

} 



if Typelnst(loc) 
loc=Z'; 
post Cj(); 



(incj, Z' 



>{ 



<*() {//for J G {1,2,3} 



if Typelnst(loc) == 
loc=Z'; 
post JQ; 



} else if 

Typelnst(loc) 
loc=/'; 
cancel Cj(); 
post J(); 



(zerotestj-, Z',/") { 



} else if 

Typelnst(loc) == 
loc=Z"; 
post Cj(); 



(zerotestj, I', I") { 



} else 
loc=_L; 



} else 
loc=_L; 



} 



} 



Initially: [main] 

Fig. 7. Let C" = ({ci , C2, C3}, L, Instr) be the 3CM defined upon a reachability problem instance for 2CM, 
the above asynchronous program with cancel has an infinite computation iff C" has an infinite bounded 
computation. In the above program, whenever loc equals _L then every conditional fails. 

Semantics. The instructions have their usual obvious semantics, in particular, decrement 
can only be done if the value of the counter is strictly greater than zero. 

A configuration of an nCM ({ci, c n }, L, Instr) is a tuple (loc,V\, v%, . . . ,v n ) where 
loc e L is the value of the program counter and, v\,...,v n are positive integers that gives 
the values of counters ci, . . . ,c n , respectively. We adopt the convention that every nCM is 
such that L contains a special location li called the initial location. 

A computation 7 of an nCM is a finite sequence of configurations 
(loc 1 , v\, v„) , (loc 2 , vf, v%), (loc r , v\, . . . , such that the following condi- 
tions hold, (i) "Initialization": loc 1 = l± and for each i € {1, . . . , n}, we have v} = 0. That 
is, a computation starts in 1% and all counters are initialized to 0. (ii) "Consecution": for 
each i £ N such that 1 < i < \j\ we have that (loc z+1 , v\ +1 , . . . is the configuration 

obtained from (loc ,v\, . . . ,v l n ) by applying instruction Instr(ZoCi). A configuration c is 
reachable if there exists a finite computation 7 whose last configuration c. A location I € L 
is reachable if there exists a reachable configuration (£,v\, . . . , v n ) for some v\, . . . ,v n € N. 

Given an nCM C and F C L, the reachability problem asks if some t 6 F is reachable. If 
so, we say C reaches F. 

Theorem 7.10. [Minsky 1967] The reachability problem for nCM is undecidable for n > 

2. 

Theorem 7.11. Determining if an asynchronous program with cancel has an infinite 
run is undecidable. 

PROOF. Our proof follows the proof of [Esparza ct al. 1999] which reduces the termina- 
tion of broadcast protocols to the reachability problem for nCM. 

We first start with some additional notions on counter machines. A configuration 
(loc, Vi, V2, ■ ■ . , v n ) of an nCM is k-bounded if X)"=i Vi < k. A computation 7 is fc-bounded 
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if all its configurations are fc-bounded, and bounded if it is /c-bounded for some positive 
integer k. 

Consider an instance of the reachability problem of a 2CM given by C = ({ci, C2}, L, Instr) 
and F C L. Without loss of generality, we assume that l\ does not have an "incoming edge" 
in C. Define C to be a 3CM that behaves as follows. C simulates C on counters Ci and C2 
and increases C3 by 1 after each step of simulation. If C reaches some location in F, then 
C goes back to its initial configuration (li, 0, 0, 0). We make the following two observations 
about C: 

— C has an infinite bounded computation iff C reaches F. Because after each step C 
increments counter C3, the only infinite bounded computation of C , if any, corresponds 
to the infinite iteration of a run of C that reaches F. 

— In every infinite bounded computation of C, the initial configuration (li, 0,0,0) occurs 
infinitely often. 

We can simulate C = ({c l7 C2, c 3 }, L, Instr) in a weak sense by using an asynchronous 
program with cancel CP given at Fig. 7. The simulation uses procedures c\, C2, and C3 to 
simulate decrements of counters as well as zero-tests where the "else branch" is taken. It 
additionally uses a procedure I to simulate increments to variables, as well as the "then 
branch" for a zero-test. The location _L is a special "halt" location with no instructions (so 
the simulation eventually terminates once the location is set to _L). 

We call a simulation faithful if whenever the then-branch of a zero test is executed, there 
are no pending instances of handler Cj (and thus the cancel is a no-op). A simulation may 
not be faithful because the dispatch of handler I amounts to guess that the then-branch is 
taken, and cancels any pending instances of handler cj. If there were pending instances of 
Cj, this guess is wrong, but these instances get removed anyway by the cancel. In that case 
we say that *p cheats. 

We prove that if C reaches F, then by the above observation has an infinite run. If C 
reaches F, then C has an infinite bounded computation 7, which iterates infinitely often a 
computation of C that reaches F. By definition of bounded computation, there exists b > 
such that 7 is 6-bounded. Let p be a run of *}2 that initially executes "post /()" b times 
and then faithfully simulates 7. Since this is a faithful simulation, each time a "cancel c" 
(for i G {1, 2}) statement is executed, there is no pending instance of handler Cj to remove. 
Since p can simulate every step of 7, it is infinite. 

We now prove that if *}5 has an infinite run, then C reaches F. Here, we have to take 
into account possible cheating in the simulation. Let p be an infinite run of *}3. Notice that 
in this run, the variable loc can never be set to _L (since any run of where loc = _L 
eventually terminates. Suppose in this run, the statement "post/0" was executed b times 
in main. After the execution of main, the number of pending handlers is always at most 
b, and thus the execution encodes a 6-bounded run of the counter machine. Moreover, the 
number of pending handlers only decreases if there is a cheat (that is, some pending handler 
Cj is canceled). Thus, the infinite execution p can have only finitely many cheats. Take a 
suffix of p containing no cheats. It corresponds to a bounded infinite simulation 7 of C . Now 
recall that every infinite bounded run of C contains infinitely many initial configurations. 
So some suffix 7' of 7 is an infinite computation of C. Thus, C reaches F. I 

It can also be shown that the fair non termination and fair starvation problem for asyn- 
chronous program with cancel are also undecidable. Let us sketch the main intuitions here. 
For the fair non termination problem, it suffices to modify the 3CM C as follows. In the 
initial configuration 0, 0, 0), instead of simulating C, C first increments and then decre- 
ment each counter Cj for i € {1,2,3}. Then C simulates C as given above. Observe that 
this modification preserves the correctness of the above proof. Let us now turn to the asyn- 
chronous program with cancel simulating this updated C . We conclude from the above 
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modification that if *P simulates the bounded infinite run of C faithfully then the run is 
fair because a faithful simulation requires the dispatch of every handler (i.e. ci(), C2O, C3O 
and /()). Therefore the infinite run is fair. 

For the fair starvation problem, let k denote the value such that there is a fc-bounded 
infinite computation in C . We will now show there exists a fair infinite run that starves 
handler /(). In this run, main posts at least k + 2 instances of handler /(). This will ensure 
that after executing the main procedure there are at least 2 pending instances of 7() along 
the fair infinite run and we are done. 

Theorem 7.12. Determining if an asynchronous program with cancel *}5 has a fair infi- 
nite run or determining ifty fairly starves some a € £ is undecidable. 

7.6. Asynchronous Programs with Cancel and Test 

Our final results investigate the decidability of natural extensions to asynchronous programs 
with cancel, where additionally, the program can test for the absence of pending instances 
to a particular handler p. We model an additional instruction assertnopending p() that 
succeeds if there is no pending instance of p. Here, we show that safety verification be- 
comes undecidable as well. Our proof reduces the coverability problem for an extension of 
PN + R where we additionally allow one transition whose enabling condition is augmented 
by requiring the absence of token in a given place. We call this transition a transition with 
inhibitor arc. 

We first introduce an extension of PN + R with one transition with inhibitor arc. 

Definition 7.13. A reset net with one inhibitor arc N (PN +R+! for short) is a tuple 
(S,T,F= (I,O,Z),\,m ) where (S,T,F = (I,O,Z),m ) is a PN + R and I £ (T x S). 

We know define the semantics for PN +R+ ! by extending the one for PN + R. 
Semantics. Given a PN +R+! N — (S, T, F, !, mo), and a marking m of N, a transition 
t e T is enabled at m, written m [t), if (1) I(t) ^ m and (2) ! = (t,p) implies m(p) — 0. We 
write m [t) m' if transition t is enabled at m and its firing yields to marking m' defined as 
in Sect. 7.3. 

The coverability problem for PN +R+ ! naturally follows from the definition for PN + R. 
The following result, due to Laurent Van Begin, shows that coverability is undecidable in 
this model. 

Theorem 7.14. The coverability problem for PN +R+! is undecidable. 

PROOF. Our proof reduces the reachability problem for 2CM to the coverability prob- 
lem for PN +R+ ! . We consider here a particular case of the reachability problem which 
asks whether a particular control location, e.g. If, with null counter values is reachable (Is 
(If, 0,0) reachable?). This problem is known to be undecidable. 

Fix an instance (C = ({ci, C2}, L, Instr), If) of that problem where C is the 2CM and 
If G L is a control location of C. 

We define the PN +R+ ! N = (S, T, F = (I, O, Z) , !, m ) such that TV simulates C in a 
weak sense we define below. 

— S — L U {ci, c 2 } U {cnt, 2cover} 

— T and F are such that t € T iff one of the following holds: 

-F(t) = (llj, \cj,l', cni],0) where Typelnst(Z) = (inc,-,Z'); 
-F(t) = (lcj,l,cnt},ll%9) where Typelnst(Z) = (dec,-,Z'); 
-F(t) = (pi, [Z'l,{c,-}) where Typelnst(Z) = (zerotest,-, I', I"}; 
-F(t) = ([Z,CjJ, [Z",c,-J,0) where Typelnst(Z) = (zerotest,-, I', I"); 
-F{t) = (\l f U2coverU). 
— ! = (t, cnt) such that F(t) = ([Z/], \2cover\ 1 %) namely a token is produced in 2cover 
provided If contains some token and cnt does not; 
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-m = [y. 

Define (N, l2coverJ) to be an instance of the coverability problem for PN +R+ ! . The 
rest of the proof shows that [<?ccwer] is coverable iff C reaches the configuration (lf,0, 0). 

Intuitively, the following property is maintained by N: as long as N simulates faithfully 
C the place cnt holds as many tokens as the sum of tokens in c\ and C2; once iV does not 
faithfully simulate C we have that cnt holds strictly more tokens than c\ and c^- 

The definition of mo shows that initially mo(cni) = mo(ci) + mo(c2) = 0, that is cnt 
holds as many tokens as c\ and C2. Moreover the definition of -/V shows that whenever a 
transition which resets Cj j — 1,2 is fired and removes at least one token from Cj then 
cnt holds more tokens than ci and C2. This will reflect that N incorrectly simulated C. In 
fact, if a transition resets Cj and removes at least one token from it then we find that some 
zerotest instruction was inaccurately simulated because the "then" branch was taken while 
the counter tested for contained a token. Therefore a token was removed from Cj. Observe 
that once a reset transition of N has removed a token from c\ or ci then from this point on 
cnt holds strictly more than the sum of tokens in c\ and C2. 

Therefore, given a sequence of transitions w £ T* , such that mo [w) m, we have m(cnt) = 
m(ci) + m(c2) iff each occurrence of a transition t such that Z(t) = {cj} along w removes 
no token from cj. We thus interpret w as an accurate simulation of C . 

Now suppose (If, 0,0) is reachable in C through some computation 7. By accurately 
simulating 7 in N we find that a marking with some tokens in I f and no tokens elsewhere is 
reachable, hence that [£ccwer] is coverable. The other direction is proven by contradiction. 

Assume that (If ,0,0) is not reachable in C but [Uccwer] is coverable in N. Hence there 
exists w £ T* such that mo [w) m, m(i/) > 1 and m(cnt) = 0. It follows that m(ci) + 
m(c2) = = m(cnt). But we showed above that in this case w is a precise simulation of a 
computation in C , hence a contradiction. 

In fact, whenever TV does not faithfully simulate C , every marking m reachable from this 
point is such that m(ci) + m(c 2 ) < m(cnt), hence that m(cnt) > since the minimum 
value for m(ci) + m(c2) is 0. This means cnt can never be emptied, hence that the enabling 
condition expressed by ! can never be satisfied, and finally that [^couer] can never be 
marked. I 

We finally obtain the following negative result for the safety problem of asynchronous 
programs with cancel and a test for the absence of pending instances to a particular hander p. 
Recall that boundedness, configuration reachability, and liveness properties are undecidable 
already for the more restricted class without testing for the absence of a handler. 

Lemma 7.15. The safety problem for asynchronous programs with cancel and test for 
absence of pending instances is undecidable. 

Proof. We reduce from coverability problem for PN +R+ ! which has been shown to be 
undecidable at Thm. 7.14. The reduction is similar to the one given at Fig. 6 only that runPN 
has to be slightly modified in order take the augmented enabling condition of PN +R+ ! 
into account. As in Sect. 6.1 we assume w.l.o.g. that instead of asking if some given marking 
m is such that fm £ where N is a PN +R+ ! , we equivalently asks if there exists 

a marking m £ [m t ) N for a PN +R+! N such that m enables some given transition t c , 
namely m [t c ). We thus obtain that there exists m £ [m l ) such that m \tf) iff st = (i c , e) 
is reachable in The resulting code for runPN is given at Fig. 8. I 

8. CONCLUSION 

Asynchronous programming is ubiquitous in computing systems. The results in this paper 
provide a fairly complete theoretical characterization of the safety and liveness verification 
problems for this model. Initial implementations for safety verification of asynchronous pro- 
grams were reported in [Jhala and Majumdar 2007]. One interesting direction will be to 
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global st = (e, s); 

runPN () { 

if st G (TU{e}) x {e} { 
pick t G T non det.; 

st = (f, /(*)); 
if ! = (t,p) { 

assertnopending 

} 

} 

post runPN(); 

} 

Initially: m, © [runPN] 

Fig. 8. Let AT = (S,T,F = {I, O, Z), !, m ) be an initialized PN+R+! such that Vt £ T: > 0. N 

enables some given tf iff st = (t c ,e) is reachable in <p. 

apply tools for coverability analysis of PN to this problem, using the reduction outlined 
in this paper. For liveness verification, the PN reachability lower bound is somewhat dis- 
appointing. It will be interesting to see what heuristic approximations can work well in 
practice. 

Since our initial work [Ganty et al. 2009], there have been several other related results. 
The problem of whether an asynchronous program is simulated by or simulates a finite 
state machine is shown to be decidable in [Chadha and Viswanathan 2009]. The authors 
also show how to solve the control state maintainability problem which asks whether an 
asynchronous program has an infinite (or terminating) run such that each of its state belongs 
to a given upward closed set of configurations. Safety verification was shown to be decidable 
for a model augmenting asynchronous programs with priorities (and letting higher priority 
handlers interrupt lower priority ones) in [Atig et al. 2008]. Safety verification was shown 
to be undecidable for a natural extension of asynchronous programs with timing [Ganty 
and Majumdar 2009]. A model of asynchronous programs in which emptiness of a fixed 
subset of handlers can be checked has been proposed in the Linux kernel (see http : // 
lwn.net/Articles/314808/). For this model, safety and boundedness are decidable. This 
follows from recent results in [Abdulla and Mayr 2009] (for safety) and [Finkcl and Sangnicr 
2010] (for boundedness). As far as we known, the decidability of termination is still open. 
When extended with cancellation of handlers, safety verification becomes undecidable, using 
Thm. 7.14. 

A. APPENDIX: CONSTRUCTION OF THE GRAMMAR G R 

Definition A.l. Given a CFG G = (X, SUE;, V) and a regular grammar R = 
(ZP.EUE^), define G r = (X r , EUE;,7> r ) where X r = {[dXd 1 ] \ X G X,d,d' G D}, and 
V r is the least set such that each of the following holds: 

(1) if (X -)• e) € V and d G D then {[dXd] -> e) € T r . 

(2) if (X -> a) £ V and (d -+ a ■ d') G S then ([dXdf] -+ a) G V '. 

(3) if [doAdt], [d 1 Bd 2 ] G X r and (X -> AB) G V then ([d Xd 2 ] -> [d Ad 1 ][d 1 Bd 2 ]) G V r . 
Lemma A. 2. Let ue(SUE,U {e}), d,d' G D and X £ X. 

if d ^* a ■ d! A X ^* a then [dXd'\ ^* a . 

R G G T 
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Proof. The proof is by induction on the length of the derivation X a. 

G 

i = 1. Then X => a. Moreover d a ■ d! shows that either d =4> a ■ d' or d = d' and a = e 

R R 

(i.e. d^° a-d'). 

R 

In any case we have that ([dXd'\ — >• a) e V r by definition of G r , hence we find that 
IdXd'] a. 

i > 1. We have X a. Then we necessarily have X =>■ w{Y ^> k wiw 2 = o 

where j + k — i — 1. Two cases may arise: u>i = cr and w 2 = s or w± — e and w 2 = cr. Let 
us prove the case w\ = a and w 2 = e. The other one is treated similarly. 

We have Y ^> k w 2 (= e) with k < i — 1. Moreover for each rf € fl, we have c? w 2 • d. 

R 

Next, because Hi-lwc can apply the induction hypothesis to conclude that [dYd] =>* e 
for all de D. 

Also Z ^ u>i(= a) with j < i — 1. Moreover d cr • d' shows by induction that 
[dZd'] -=>* cr. Finally (X -> ZY) e 7> and the definition of G r shows that ([dXd'] -> 
[dyd][dZd']) e "P r , hence that [dXd 1 ] =>* a and we are done. I 

G r 

Lemma A. 3. Let Xq w where \w\ > 1. There exist X,X\,X 2 € <-f and Wi,W2 € 

G 

(E U Sj)* \ {e} suc/i f/ia£ eac/i o/ i/ie following holds: 
X XiX 2 wiX 2 wiid 2 = w 

-Xq ^* X 

Proof. The proof is by induction of the length of the derivation X =>* w. Since \w\ > 1, 

G 

the smallest derivation for w needs no less than three steps. 

i = 3. Then Xq =^ 3 w is necessarily of the form Xq =>■ X^X 2 =>■ <J\X 2 =>■ cric^ = w where 

G 

<7i 7^ £ 7^ ct 2 . By choosing Jf = X we have X ^* X which concludes the proof of this 
case. 

i > 3. Then X w is necessarily of the form Xq => X\X 2 =^ w\X 2 ^ k W\w 2 = w 

G 

with j + k = i — 1. 
Three cases may arise: 

W\ = e and w 2 = w. Therefore we have that X\ =>* W\ = e and X 2 ^ k w 2 = w with 
k < i — 1. The induction hypothesis shows that there exists X',X[,X 2 and u4,u> 2 € 
(£ U \ {e} such that X 1 => J^X 2 w'i w 2 (= w 2 = w) and X 2 X'. 

Finally we find that X X' X(A" 2 ti^-X^ = to and we are done. 

Wi = e and w 2 = w. This case is similar to the previous one. 

W\ 7^ e and w 2 ^ e. By choosing X = X we have Xq X which concludes the proof 
of this case. 



Lemma A.4. If Xq X w and [dXd'] w then [dX d'} =>* w. 

G G G r G r 

Proof. The proof is by induction on the length of the derivation Xq ^* X 

G 

i = 0. So we have Xq = X and the result trivially holds, 
i > 0. We have X => l X w. It follows that X Q YZ ^ 1 X w. 
Two cases may arise: Y ^* e and Z ^* X or Y ^* X and Z ^* e. We solve the former, 
the proof of the latter being similar. 
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Applying Lem. A. 2 to Y =3>* e and d =>* d we find that [dYd] e. Next since Z =4> fe X 
with fc < i — 1 we find by induction hypothesis that [dZd 1 ] w, hence that [dXgd'] w 
since ([dX d'] -> [dFdpZd']) e -p r and we are done. I 

Lemma A. 5. Let we(EU £,)*, d,d' £ D and X £ X. 

[dXd 1 ] ^* w iff d =>* w ■ d' AX =>* w . 

G r R G 



Proof. The proof for the only if direction is by induction on the length of the derivation 
of [dXd'} =>* w. 

i = 1. So we conclude from [dXd'] a that {\dXd!\ ->• a) £ V r , hence that (I -> <r) e P 
and (d — > a ■ d!) £ S or d = d! by definition of G r , and finally that X => cr and d => cr • d' 
and we are done. 

i > 1. If the derivation of G r has i steps with i > 1, it must be the case that: 
[dAd'] =>■ [dZdi] [diYd'] => J ioi • [d^Fd'] => fc W1W2 where w = w\vj 2 and J + k = i— 1. By 
induction hypothesis, we have d W\ ■ di and Z wi. Also dg i« 2 ■ d' and Y iu 2 - 
Hence we find that d wiw 2 • d' and AT wiw 2 since (A — > ZY) £ P and we are done 
since w = wiui2- 

For the if direction, let w £ E* such that A =>* it> and d u> • d'. Then the proof goes 

G R 

by induction on the length i oi w. 

i = 0, 1. We have d a ■ d' A A a with a e (S U S, U |el). This coincides with the 

R G 

result of Lem. A. 2. 

i > 1. Lem. A. 3 shows that there exist X',X 1 ,X 2 £ X and w 1 ,ui 2 <E (SUE;)* \ {e} such 
that A =>* A' AiA 2 wiA 2 wiw 2 = w. 

Since d =>* w ■ d' and iuiw 2 = w, the definition of R shows that there exists di £ D such 
that d =>* Wi • d^ Wiu> 2 ■ d'. 

Hence we can use that induction hypothesis for w\ and w 2 which shows that [dX\df] =>* 
wt and [d e X 2 d'} w 2 . Next, we conclude from (A' ->• AiA 2 ) e P that ([dA'd'] ->■ 
[dX^p^d']) e "P r , hence that [dX'd'] ^* wi» 2 = w. 

Finally X X' and the result of Lem. A. 4 shows that [dXd'] =>* w. I 

Definition A.6. Given G r = (VT, EUE;, "P r ) as given in Def. 4.2. Define G R = 
(X R ,E,V R ) where = X r ; and P fl is the smallest set such that if (A -> a) € P r 
then (A^Pr j Su ^(a) 

It is routine to check that Def. A. 6 is equivalent to Def. 4.2 p. 12. Finally, we conclude 

from Lem. A. 5 and Def. A. 6 that for every d,d' £ D and A £ A" we have: (i) let u>i € E* 

such that \dXd'] then there exists w 2 £ (EUE;)* such that d=>*W2 ■ d' A=>*ui 2 , and 

G R R G 

Proj- s (w 2 ) = w%; (ii) let w £ (SUE,-)* such that d=>*w-d', X=>*w then [dXif ]=>*Proj s (u>). 

J? G G^ 

Hence Lem. 4.3 holds. 

A.l. Reduction from Petri Nets to Boolean Petri Nets 

Lemma A. 7. (1) Let (N, m e ) be an initialized PN. There exists a Boolean initialized PN 
(N' 7 m[) computable in polynomial time in the size of (N, nij) such that (N, m 8 ) is bounded 
iff(N',m' l ) is bounded. 

(2) Let (N, m,, my) 6e an instance of the reachability (respectively, coverability) problem. 
There exists a Boolean initialized Petri net (N', m[) and a Boolean marking m'^ computable 
in polynomial time such that m/ is reachable (respectively, coverable) in (N, m,) iff m'^ is 
reachable (respectively, coverable) in (N',m[). 
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PROOF. We prove the result in two steps. First, we transform the instances so that 
the initial marking and (in case of coverability and reachability) the target markings are 
Boolean. Second, we transform the instances so that I(t) and 0{t) are Boolean for each 
transition t. 

Consider a boundedness problem instance (N = (S, T, F), m.j). In the first step, we define 
an equivalent instance (iV b ,rxij) where the marking m b is Boolean (but transitions in N b 
need not be Boolean). We perform the transformation by adding a new place pi and a new 
transition ti that consumes a token from pi and puts m.j tokens in the other places. Initially, 
nij has one token in pi and zero tokens in all other places. Formally, N b — (S U {pi},T U 
{ti}, F b = {l\ O b )), where l\t) = I(t) and 0\t) = 0(f) for all * G T and l\u) = [p*] and 
O b {t i ) = u h . 

Consider now a coverability problem instance (JV, m,,m). To replace rrij and m by 
Boolean markings, intuitively, we add two new places pi and p c to N. As in the case of 
boundedness, there is a single transition out of Pi that consumes one token and produces 
m 4 . Additionally, there is one transition that consumes m and produces a single token in p c . 
Formally, define N b = (SU fe,p c }, TU {U, t c }, F b ) with F b (T) = F(T), F b {U) = (\pi},m % ) 
and F b (t c ) = (m, [p c ]). The initial and target marking are respectively given by [pj] and 
[p c ] each of which is Boolean. 

Let us turn to a reachability problem instance (iV, m 4 ,m). The initial marking is made 
Boolean using the same trick: add a new place pi and add a transition that consumes 
one token from pi and produces m l tokens. To get rid of m, we use a construction from 
[Hack 1976] and additionally, we add a new place p r . Then, we change each transition of 
N to additionally consume a token from p r and produce a token back in p r . Finally, we 
add a new transition that consumes m © [p r ] tokens and produces no tokens. The initial 
marking puts one token each at Pi and p r , and we ask if the marking where every place 
has zero tokens is reachable. Formally, define N b = (S U {pi,p r },T U {ti,t r }, F b ) such 
that F b (t) = (for] ©/(*), for] ®0(t)> where F(t) = (l(t),0(t)), F b (i,) = dpj.m,) and 
F b (t r ) — (m |p r ],0). The initial and target marking are respectively given by [p»,p r ] 
and the empty marking each of those marking being a set. 

We now move to the second step of the construction. Given a PN N = (S,T, F), we show 
how to compute in polynomial time a PN N' = (S' ,T' , F') such that for every transition 
t € T' the multisets I[t) and 0(t) are Boolean. The construction is independent of the 
decision problem (boundedness, coverability, or reachability). 

Assume that S is given by {si, . . . , s n } and T is given by {ti, . . . , 
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We convert TV to a Boolean Petri net in five steps. First, we define the PN Ni = 
(Si,Ti,Fi). The set of places Si = S. For each t € T, we define the transitions t[, t^, ■ ■ ■ , t^, 
tf,t§,...,tf in Tx such that: 

-Pi (4) = (Proi {si} (7(t)),0) and Fx (if) = (0, Proj {si} (0(i))) for » € {1,. ..,n}. 

Intuitively, to each pair (si,t) (i £ {1, . . . , n}, t £ T) we associate two transitions t\ and tf 
of Ti which we will use to simulate the effect of t on s^. 

Second, we define the PN N2 which is given by the synchronized product of Ni with the 
following regular language over alphabet Ti : 

L = (w\ H h w k ) 

where each Wi = t\ytf^ . . . tj n tf n is a finite word that simulates the firing of transition ti G T 
for i £ {1, . . . , k}. Clearly, since each Wi corresponds to the firing of transition ti £ T we 
find that N2 simulates N (i.e., m [t) does not hold in T iff m [if) does not hold from some 
i £ {1, . . . , n}; and m [t) m' iff m [w) m'). 

Observe that A2 is still not a Boolean PN. In the third step, we replace each transition 
tf (resp. tf) which produce (resp. consume) Proj ^ Si y(0(t)) (resp. Proj i Si y(I(t))) tokens to 
(resp. from) place Si by a Boolean PN N t o (resp. N t i). We do this by defining the following 
class of widgets. 

Let us consider a transition tf which produces m tokens into s,-, and let M — [log 2 m]. 
We will substitute tf with a Boolean PN N t g. We call such a PN a widget. A generic 
description of a widget is given in Fig. 9. 

Intuitively, the widget behaves like a binary decrementer. To begin with, we shall put a 
(0, l)-marking on the widget, where for each "column" labeled 1, . . . , M, we put a single 
token in either the 0th row or the 1st row. Each (0, l)-marking coincides with the binary 

representation of a number in the range [0, 2 M - 1], obatined by Y,f=i <^ 2 % wh ere 5 t = 1 if 
the (0, l)-marking places a token in the 1st row of column i and 8i = if the (0, l)-marking 
places a token in the 0th row of column i. Conversely, every number in the range [0, 2 M — 1] 
corresponds to exactly one (0, l)-marking of the widget. Let / be the function which takes 
as input a number in the range [0, 2 M — 1] and returns the corresponding (0, l)-marking. 

One can check that the widget defines a Boolean PN. Moreover, from every (0, l)-marking 
there exists exactly one enabled transition in the widget. Hence the widget behaves as 
follows: starting from marking /(m) there exists a unique maximal sequence of enabled 
transitions which consists of m transitions in {t\, . . . ,t n } followed by t enabled at the 
marking which represents in binary (i.e., the (0, l)-marking that puts a single token each 
in the 0th row of each column). Next, we add transition i whose role is to initialize the 
widget with marking /(m). Therefore we have F t o(i) = (0,/(m)). Finally let us add an 

arc from every transition of the widget except t and t into place s,. 

From the above construction, we observe that the firing of any sequence in the language 
t ■ ({ti, . . . , t n })* ■ t has the effect of producing exactly m tokens in place Sj. 

Using a similar reasoning one can define a widget for t\. 

In the fourth step, let us define JV3 as the PN which is given by the union of all the 
widgets (therefore S is contained in the places of N3), Given i £ {1, . . . , n}, let us denote 
by T t i and T t g the set of transitions of the widget corresponding to t\ and if, respectively. 

Also we have transitions if , i\ , if , tf . Observe that A3 is a Boolean PN. 

Finally, to conclude the construction of the Boolean PN N' , we define N' as the synchro- 
nized product of N 3 with the language t(L) where r is a substitution which maps t\ onto 
the language (if ■ (T t i)* ■ tf) and tf onto the language (if ■ (T t o)* -if). 

It is routine to check that the obtained PN is Boolean and it can be computed in poly- 
nomial time in the size of N. I 
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